b'                             AUDIT OF SBA\xe2\x80\x99S\n                     INFORMATION SYSTEMS CONTROLS\n                            FISCAL YEAR 2004\n                        AUDIT REPORT NUMBER 5-12\n\n                                  FEBRUARY 24, 2005\n\n\n\n\nThis report may contain proprietary information subject to the provisions of 18 USC 1905 and\nmust not be released to the public or another agency without permission of the Office of\nInspector General.\n\x0c                        U.S. SMALL BUSINESS ADMINISTRATION\n                            OFFICE OF INSPECTOR GENERAL\n                                WASHINGTON, D.C. 20416\n\n                                                                   AUDIT REPORT\n                                                            Issue Date: February 24, 2005\n                                                            Number: 5-12\n\n\nTo:            Stephen D. Galvan\n               Chief Operating Officer\n               Chief Information Officer\n\n               Jerry E. Williams\n               Acting Chief Information Officer\n\n               Thomas A. Dumaresq\n               Chief Financial Officer\n\n               Richard Brechbiel\n               Chief Human Capital Officer\n\n                 /S/ Original Signed\nFrom:          Robert G. Seabrooks\n               Assistant Inspector General for Auditing\n\nSubject:       Audit of SBA\xe2\x80\x99s Information Systems Controls for FY 2004\n\n       Attached is the audit report on SBA\xe2\x80\x99s Information Systems Controls for FY 2004 issued\nby Cotton & Company LLP as part of the audit of SBA\xe2\x80\x99s FY 2004 financial statements. The\nauditors reviewed the general and application controls over SBA\xe2\x80\x99s financial management\nsystems to determine if those controls complied with various Federal requirements.\n\n\n        General controls are the policies and procedures that apply to all or a large segment of an\nentity\xe2\x80\x99s information systems to help ensure their proper operation. General controls impact the\noverall effectiveness and security of computer operations rather than specific computer\napplications. Application controls are the structure, policies, and procedures that apply to\nseparate, individual application systems, such as accounts payable, inventory, payroll, grants, or\nloans. Application controls help ensure that transactions are valid, properly authorized, and\ncompletely and accurately processed by the computer. Federal requirements for general and\napplication controls include Office of Management and Budget Circular A-130, Security of\nFederal Automated Information Resources and the Computer Security Act of 1987.\n\n\n\n\n                                                 2\n\x0c        The auditors concluded that SBA continued to make progress in implementing its\ninformation systems security program, but that improvements are still needed. The report\ndescribes areas where controls can be strengthened, such as: (1) entity-wide security program\ncontrols, (2) access controls, (3) application software development and program change controls,\n(4) system software controls, (5) segregation of duty controls, and (6) service continuity controls.\nThe report also provides recommendations for strengthening controls in these areas.\n\n\n       Responses from the Chief Financial Officer, Chief Human Capital Officer, and Acting\nChief Information Officer (CIO) are included as attachments to this report. However, the\nresponse from the Acting CIO was condensed and the attachments (A-D) that accompanied the\nresponse from the Acting CIO were not included in the final report. The attachments from the\nActing CIO were reviewed and considered as part of our final report.\n\n\n       SBA generally agreed with the auditor\xe2\x80\x99s findings and recommendations with the\nexception of finding 3A on application software development and program change control, and\nfinding 5A on segregation of duty controls for the Loan Accounting System (LAS). Finding 3A\nand recommendation 3A were modified to more reflect what was found during audit fieldwork.\nFinding 5A and recommendation 5B were not changed or modified as the CIO must adequately\nensure that security is enforced in LAS Agency-wide.\n\n\n       The findings in this report are based on the auditors\xe2\x80\x99 conclusions and the report\nrecommendations are subject to review, management decision and action by your office(s),\nin accordance with existing Agency procedures for follow-up and resolution.\n\n\n        Please provide us your proposed management decisions within 30 days on the attached\nSBA Forms 1824, Recommendation Action Sheet. If you disagree with the recommendations,\nplease provide your reasons in writing.\n\n       Should you or your staff have any questions, please contact Jeffrey R Brindle, Director,\nInformation Technology and Financial Management Group at (202) 205-[FOIA Ex. 2].\n\nAttachments\n\n\n\n\n                                                 3\n\x0cNovember 15, 2004\n\n                            AUDIT OF INFORMATION SYSTEM CONTROLS\n                         FISCAL YEAR 2004 FINANCIAL STATEMENT AUDIT\n\n\nInspector General\nU.S. Small Business Administration\n\n\nWe audited the financial statements of the U.S. Small Business Administration (SBA) as of and for the\nyears ended September 30, 2004, and 2003, and have issued our report thereon dated November 15, 2004.\nIn that report, we issued an unqualified opinion on the Fiscal Year (FY) 2004 combined statement of\nbudgetary resources and the FY 2003 consolidated balance sheet (as restated); issued a qualified opinion\non the FY 2004 consolidated balance sheet and statements of net costs, changes in net position, and\nfinancing; and disclaimed an opinion on the FY 2003 consolidated statements of net cost, changes in net\nposition, and financing and the combined statement of budgetary resources. These financial statements\nare the responsibility of SBA\'s management.\n\nIn planning and performing our work, we considered SBA\'s internal control over financial reporting by\nobtaining an understanding of SBA\'s internal control, determining if internal control had been placed in\noperation, assessing control risk, and performing tests of control. We limited our internal control testing\nto those controls necessary to achieve objectives described in Office of Management and Budget (OMB)\nBulletin No. 01-02, Audit Requirements for Federal Financial Statements. We did not test all internal\ncontrols relevant to operating objectives as broadly defined by the Federal Managers\' Financial Integrity\nAct of 1982, such as those controls relevant to ensuring efficient operations. The objective of our work\nwas not to provide assurance on internal control. Consequently, we do not provide an opinion on internal\ncontrol.\n\nOur consideration of internal control over financial reporting would not necessarily disclose all matters in\ninternal control over financial reporting that might be reportable conditions. Under standards issued by\nthe American Institute of Certified Public Accountants, reportable conditions are matters coming to our\nattention relating to significant deficiencies in the design or operation of internal control that, in our\njudgment, could adversely affect SBA\'s ability to record, process, summarize, and report financial data\nconsistent with management assertions in the financial statements.\n\nThis report is intended solely for the information and use of SBA management. We would like to express\nour appreciation to the SBA representatives who assisted us in completing our work. They were always\ncourteous, helpful, and professional.\n\nVery truly yours,\n\nCOTTON & COMPANY LLP\n\n\n/S/ Original Signed\nCharles Hayward, CPA, CISA\n\x0c                            AUDIT OF INFORMATION SYSTEM CONTROLS\n                         FISCAL YEAR 2004 FINANCIAL STATEMENT AUDIT\n                             U.S. SMALL BUSINESS ADMINISTRATION\n\n\nCotton & Company LLP was engaged to audit Fiscal Year (FY) 2004 and 2003 financial statements of\nthe U.S. Small Business Administration (SBA). As part of that work, we reviewed general and application\ncontrols over SBA\xe2\x80\x99s information systems following guidance provided in the Government Accountability\nOffice\xe2\x80\x99s (GAO) Federal Information System Controls Audit Manual (FISCAM). FISCAM incorporates\naudit techniques and procedures to ensure adequate coverage of federal requirements and standards\nestablished by:\n         \xe2\x80\xa2      Computer Security Act of 1987.\n\n        \xe2\x80\xa2       Clinger Cohen Act.\n\n        \xe2\x80\xa2       Government Information Security Review Act (GISRA), now the Federal Information\n                Security Management Act (FISMA).\n\n        \xe2\x80\xa2       Office of Management and Budget (OMB) Circulars A-127, Financial Management\n                Systems, and A-130, Management of Federal Information Resources, Appendix III,\n                Security of Federal Automated Information Resources.\n\n        \xe2\x80\xa2       National Institute of Standards and Technology (NIST) standards and guidelines\n                contained in NIST\xe2\x80\x99s Federal Information Processing Publications (FIP Pubs) and in its\n                800 series Special Publications.\n\nThis report contains the results of our review and our recommendations for improvements. Control\nweaknesses discussed herein have been reported in SBA\xe2\x80\x99s FY 2004 financial statement internal control\nreport as a reportable condition.\n\nBACKGROUND\n\nGeneral controls are the policies, procedures, and practices that apply to all or to a large segment of an\nentity\xe2\x80\x99s information systems to help ensure their proper operation. General controls affect the overall\neffectiveness and security of computer operations, rather than specific computer applications. GAO\ncategorizes general controls as follows:\n\n        \xe2\x80\xa2       Entity-wide security program controls provide a framework and continuing cycle of\n                activity for managing risk, developing security policies, assigning responsibilities, and\n                monitoring the adequacy of computer-related controls.\n\n        \xe2\x80\xa2       Access controls limit or detect access to computer resources (data, program, equipment,\n                and facilities), thereby protecting these resources against unauthorized modification, loss,\n                and disclosure.\n\n        \xe2\x80\xa2       Application software development and program change controls prevent\n                implementation of unauthorized programs or modification to existing programs.\n\n        \xe2\x80\xa2       System software controls limit and monitor access to powerful programs and sensitive\n                files that control computer hardware and secure applications supported by the system.\n\x0c        \xe2\x80\xa2       Segregation-of-duty controls provide policies, procedures, and an organizational\n                structure to prevent one individual from controlling key aspects of computer-related\n                operations and thereby conducting unauthorized actions or gaining unauthorized access to\n                assets or records.\n\n        \xe2\x80\xa2       Service continuity controls ensure that when unexpected events occur, critical\n                operations continue without interruption or are promptly resumed, and critical and\n                sensitive data are protected from destruction.\n\nApplication controls are the structure, policies, and procedures that apply to individual application\nsystems, such as accounts payable, inventory, payroll, grants, or loans. Application controls encompass\nboth routines contained within the computer program code and policies and procedures associated with\nuser activities, such as manual measures performed by the user to determine if the computer accurately\nprocessed data. GAO categorizes application controls as follows:\n\n        \xe2\x80\xa2       Authorization controls are most closely aligned with the financial statement accounting\n                assertion of existence or occurrence. This assertion, in part, concerns the validity of\n                transactions and that they represent economic events that actually occurred during a given\n                period.\n\n        \xe2\x80\xa2       Completeness controls directly relate to the financial statement accounting assertion on\n                completeness, which deals with whether all valid transactions are recorded and properly\n                classified.\n\n        \xe2\x80\xa2       Accuracy controls directly relate to the financial statement assertion on valuation or\n                allocation. This assertion deals with whether transactions are recorded at correct amounts.\n                The control category, however, is not limited to financial information, but also addresses\n                the accuracy of other data elements.\n\n        \xe2\x80\xa2       Controls over integrity of processing and data files, if deficient, could nullify each of\n                the above control types and allow the occurrence of unauthorized transactions, as well as\n                contribute to incomplete and inaccurate data.\n\nSBA\xe2\x80\x99S INFORMATION SYSTEMS ENVIRONMENT\n\nSBA\xe2\x80\x99s financial management information system environment is decentralized. It is comprised of seven\nmajor components operated and maintained by SBA offices and external contractors, as described below.\n\n1.      Loan Accounting System (LAS), a set of mainframe programs that processes and maintains\n        accounting records and provides management reports for SBA\xe2\x80\x99s loan programs. The Office of the\n        Chief Information Officer (OCIO) is responsible for developing and maintaining LAS system\n        software and hardware. LAS is operated and maintained under contract for SBA by UNISYS at\n        its Eagan, Minnesota, facility.\n\n2.      Automated Loan Control System (ALCS), a mini-computer system maintained and operated at\n        each of SBA\xe2\x80\x99s four disaster area offices. ALCS tracks and processes disaster loan applications.\n        After loan approval, it interfaces with LAS to update SBA\xe2\x80\x99s loan records. The Office of Disaster\n        Assistance (ODA) operates ALCS and is responsible for developing and maintaining system\n        software and hardware.\n\n\n\n\n                                                    2\n\x0c3.      Denver Finance Center (DFC) systems, a variety of specialized programs developed and\n        maintained by the Office of the Chief Financial Officer (OCFO). These programs perform various\n        functions, such as exchanging data with SBA\xe2\x80\x99s business partners, processing and maintaining\n        disbursement and collection data, and interfacing with LAS.\n\n4.      Joint Accounting and Administrative Management System (JAAMS), a client-server\n        financial management system used by all SBA offices for administrative accounting functions.\n        The JAAMS server and database were operated and maintained under contract for SBA by a\n        third-party vendor, Corio, Inc., in Tempe, Arizona. Corio has a second facility in California\n        housing the JAAMS test environment. The California facility also serves as the alternate\n        computing facility for JAAMS in the event that the Tempe, Arizona facility becomes inoperable.\n\n5.      Local- and Wide-Area Networks (LANs and WANs), communications systems maintained and\n        operated by all SBA offices. LANs and WANs provide gateways to LAS, ALCS, and JAAMS;\n        allow offices to share files and communicate electronically; permit the transfer of data among\n        systems; and provide Internet access. OCIO develops and disseminates guidance and procedures\n        for operation of these systems and periodically monitors to ensure compliance.\n\n6.      Surety Bond Guarantee (SBG) system, a client-server system developed and maintained by\n        OCIO. This system processes SBG program data and exchanges accounting information with\n        JAAMS.\n\n7.      Credit Subsidy Calculator and Monster Databases, a series of SAS and JAVA programs and\n        Microsoft Excel spreadsheets developed and maintained by OCFO for calculating subsidy rates\n        supporting SBA\xe2\x80\x99s various direct and guarantee loan programs, consisting of the Section 7(a),\n        Small Business Investment Company (SBIC) Program, Section 504, and Disaster assistance\n        loans, and SBA\xe2\x80\x99s secondary market guarantee program for pooled business loans accounted for in\n        the Master Reserve Fund (MRF).\n\nIn addition, SBA\xe2\x80\x99s financial management activities rely on systems developed, maintained, or operated by\nexternal parties, including Corio, Inc., Colson Services Corporation, UNISYS, and the USDA National\nFinance Center (NFC), for processing and exchanging data related to functions, such as loan servicing\nand payroll. SBA also has acquired lock-box banking services from the Bank of America and other non-\ncontinental domestic banks for processing checks on borrowers\xe2\x80\x99 loan payments; the banks provide this\ninformation electronically to DFC.\n\nFY 2004 RESULTS\n\nSBA continued to improve internal control over its information system environment during FY 2004 in\ncertain areas. Specifically, SBA:\n\n        \xe2\x80\xa2       Conducted certification and accreditation (C&A) reviews for additional major\n                applications.\n        \xe2\x80\xa2       Continued to implement the Windows 2000 operating system at various field locations.\n        \xe2\x80\xa2       Conducted a disaster recovery exercise.\n\nThese accomplishments were, however, overshadowed by the following identified weaknesses:\n\n        \xe2\x80\xa2       SBA does not have an adequate information technology training program in place.\n        \xe2\x80\xa2       SBA has not initiated prompt action to correct known deficiencies. Specifically, out of\n                the 26 recommendations for 13 findings noted in FY 2003, 14 recommendations were not\n                adequately addressed.\n\n                                                   3\n\x0c        \xe2\x80\xa2       Duties within financial applications are not adequately segregated. JAAMS security\n                administration and user account administration privileges have been granted to several\n                individuals. In addition, one user was identified as having both financial and Information\n                Technology (IT) incompatible duties within JAAMS.\n        \xe2\x80\xa2       Policies and procedures for the administration of the network operating system (Windows\n                2000 O/S) have not been developed.\n        \xe2\x80\xa2       No minimally acceptable baseline configuration exists for the Sun Solaris (UNIX)\n                operating system housing JAAMS, the Windows 2000 domain controllers, the Sybase\n                database management system (DBMS), and the Oracle DBMS that support JAAMS. In\n                addition, we found several weaknesses within the configuration of these platforms when\n                compared with federal guidance and industry best practices as promulgated by the Center\n                for Internet Security on properly securing the relative platforms.\n        \xe2\x80\xa2       Access authorizations to the SBA Network, JAAMS, LAS, and the Sybase general\n                support systems are not adequate. Access authorization forms are not required for the\n                network, Sybase, and LAS. Access authorization forms are required for JAAMS;\n                however, not all forms could be located for review.\n        \xe2\x80\xa2       Emergency access authorizations to SBA\xe2\x80\x99s Network, JAAMS, LAS, and the Sybase\n                general support system are not adequate.\n        \xe2\x80\xa2       Network, JAAMS, and LAS password controls are weak.\n        \xe2\x80\xa2       Review of inactive accounts is not being performed on the network, LAS, or the Sybase\n                general support system.\n        \xe2\x80\xa2       Logging and monitoring of SBA general support systems and JAAMS is not adequate.\n        \xe2\x80\xa2       Business Resumption plans have not been completed and fully incorporated into SBA\xe2\x80\x99s\n                Continuity of Operations Plan (COOP).\n\nIn the remainder of this report, we discuss results of our FY 2004 review and the status of management\nactions to address prior-year recommendations and new weaknesses identified in FY 2004. We also\npresent our recommendations for improvements. This report includes the following attachments:\n\n               Number      Title\n                 1         FY 2004 Summary of Results\n                 2         Status of Prior-Year Audit Recommendations\n                 3         Management Comments and Our Evaluation\n                           A \xe2\x80\x93 Response from Acting Chief Information Officer\n                           B \xe2\x80\x93 Response from Chief Financial Officer\n                           C \xe2\x80\x93 Response from Chief Human Capital Officer\n                           D \xe2\x80\x93 OCIO/OHCM/OCFO Response with Auditor Comment\n                   4       Network Analysis Results (Limited Official Use and Restricted\n                           Distribution)\n                   5       Windows 2000 Configuration Review Results (Limited Official\n                           Use and Restricted Distribution)\n                   6       Oracle Database Configuration Review Results (Limited\n                           Official Use and Restricted Distribution)\n                   7       Sybase Database Configuration Review Results (Limited\n                           Official Use and Restricted Distribution)\n                   8       UNIX Configuration Review Results (Limited Official Use and\n                           Restricted Distribution)\n\n\n\n\n                                                    4\n\x0c                                                                                         ATTACHMENT 1\n\n\n                                      FY 2004 SUMMARY OF RESULTS\n\n\n1. ENTITY-WIDE SECURITY PROGRAM CONTROLS\n\nEntity-wide security program planning and management provides a framework for managing risk,\ndeveloping security policies, assigning responsibilities, and monitoring the adequacy of an entity\xe2\x80\x99s\ncomputer-related controls. SBA\xe2\x80\x99s information system security program planning and management\ncontinued to have areas of weakness. Without an effective management control structure, control\nweaknesses throughout the information system and security infrastructure will continue, and specific\nactions to address weaknesses will continue to be ineffective.\nWe identified the following entity-wide security program control weaknesses during our FY 2004\nfinancial statement audit:\n\nA.      A policy requiring mandatory vacation or job rotation for employees in sensitive positions has not\n        been developed, and sensitive positions have not been formally identified and documented by\n        OCIO. NIST Special Publication (SP) 800-14 \xe2\x80\x9cGenerally Accepted Principles and Practices for\n        Security Information Technology System\xe2\x80\x9d states that mechanisms besides auditing and analysis\n        of audit trails should be used to detect unauthorized and illegal acts. Rotating employees in\n        sensitive positions, which could expose fraudulent activities that required an employee\xe2\x80\x99s\n        presence, is one method that can be used.\n\n        Recommendation 1A: We recommend that the Chief Human Capital Officer develop a policy\n        requiring:\n\n            \xe2\x80\xa2   Periodic job rotations and/or mandatory annual vacations for employees in sensitive\n                Information Technology positions, or\n            \xe2\x80\xa2   Temporary re-assignment of work of employees in sensitive Information Technology\n                positions to other employees.\n\n        Recommendation 1B: We recommend that the Chief Information Officer include job shift\n        and mandatory vacation requirements in the Security Program Plan SOP 90-47-1 and\n        develop procedures to comply with the new policy.\n\nB.      An information technology training program has not been developed, and training and\n        professional development are not documented and monitored for SBA system administration\n        staff. This is especially significant for those personnel who operate SBA general support systems\n        and major applications. Federal agencies cannot protect the confidentiality, integrity, and\n        availability of information without ensuring that each person involved understands his or her role\n        and responsibilities and is adequately trained to perform them. OCIO has not identified and\n        requested the necessary resources to implement an effective employee training program.\n\n        Audit report (OIG 2-18) issued on May 6, 2002 recommended that the Chief Operating Officer\n        provide adequate funding and resources to allow OCIO to develop and implement technical\n        training for security staff and all network and application security administrators. Additionally,\n        audit report (OIG 4-19) issued on April 29, 2004 recommended that the Chief Information\n        Officer ensure that adequate technical training for SBA personnel including network and system\n        personnel in accordance with NSA, NIST and Windows 2000 best practices. SBA responded to\n        the initial recommendation in report (OIG 2-18) that adequate funding for technical training\n        would be implemented by March 1, 2003. This recommendation remains open and\n        documentation of adequate funding has not been provided. SBA responded to one of the two\n\x0c                                                                                        ATTACHMENT 1\n\n\n        recommendations in audit report (OIG 4-19) that adequate technical training would be provided\n        by March 31, 2005. SBA did not respond to the other recommendation which was due to OIG on\n        May 29, 2004. Therefore, we are making no new recommendations at this time.\n\nC.      SBA does not initiate prompt action to correct known deficiencies, and corrective actions are not\n        monitored on a continuing basis. OCIO developed a database for tracking recommendations\n        identified in prior audits; however, this database is not being adequately maintained. Out of 26\n        recommendations for 13 findings noted in our FY2003 FISCAM report, 14 recommendations\n        were not adequately addressed. In addition, we noted 40 recommendations in SBA\xe2\x80\x99s Plan of\n        Action and Milestone (POA&M) document that remained unresolved past their scheduled\n        completion dates. Of these 40 recommendations, 20 were more than 200 days past their scheduled\n        completion date. OCIO responded in the initial exit meeting that they did not have adequate\n        resources to oversee and ensure that audit recommendations were timely adjudicated.\n\n        Audit report (OIG 4-19) issued on April 29, 2004 recommended that the Administrator ensure\n        that sufficient resources are provided to enable OCIO to meet its responsibilities under the\n        Clinger Cohen Act, FISMA, and OMB Circulars A-50, A-127, and A-130. SBA has not provided\n        a response to the recommendation in audit report (OIG 4-19) which was due to OIG on May 29,\n        2004. Therefore, we are making no new recommendations at this time.\n\n\n2. ACCESS CONTROLS\n\nPhysical and logical access controls should be designed to protect an agency\xe2\x80\x99s assets against unauthorized\nmodification, loss, destruction, and disclosure. During the FY 2004 controls review, we performed access\ncontrol testing at the network, application, database, and operating system level. We noted the following\naccess controls weaknesses:\n\nA.      Controls are not adequate to ensure that access authorizations are documented on standard forms,\n        maintained on file, approved by senior managers, securely transferred to security managers, and\n        that owners periodically review access authorizations to determine their appropriateness.\n\n        NIST SP 800-14, Generally Accepted Principles and Practices for Security Information\n        Technology System, states that organizations should have a process for requesting, establishing,\n        issuing, and closing user accounts, and for tracking users and their respective access\n        authorizations. NIST also states that it is necessary to periodically review user account\n        management on a system. Reviews should examine the levels of access each individual has, the\n        conformity with the concept of least privilege, whether all accounts are still active, whether\n        management authorizations are up-to-date, whether required training has been completed, and so\n        forth.\n\n        Access requests to SBA\xe2\x80\x99s network, LAS, and Sybase general support systems (Sybase) do not\n        require documentation on standard forms that are retained. Access requests are submitted verbally\n        or by e-mail to system administrators. In addition, because access requests are not being retained,\n        owners are unable to periodically verify that the access users currently have was authorized.\n\n        The OCFO does require that access requests to JAAMS be documented on the Computer Access\n        Security Request Form (Form 2200) and retained; however, our review determined that controls\n        over the retention of access request forms need improvement. Out of 45 active accounts sampled,\n        we identified six that could not be traced to access request forms.\n\n\n\n                                                    2\n\x0c                                                                                     ATTACHMENT 1\n\n\n\n     Recommendation 2A: We recommend that the Chief Information Officer:\n\n           \xe2\x80\xa2     Develop policies and procedures requiring that access requests be documented on\n                 standard access request forms and retained.\n           \xe2\x80\xa2     Develop a policy requiring that access request forms be periodically traced to active\n                 users to ensure user\xe2\x80\x99s access agrees with the authorization on the access request\n                 forms.\n\n     Recommendation 2B: We recommend that the Chief Information Officer:\n\n           \xe2\x80\xa2     Ensure access to JAAMS is granted only when requested via Form 2200.\n           \xe2\x80\xa2     Ensure all access request forms are maintained on file for future reference. Access\n                 request forms should be periodically traced to active user accounts to make sure\n                 access in JAAMS agrees with the access that was requested and approved.\n\nB.   Controls are not adequate to ensure that emergency access authorizations are documented on\n     standard forms, are approved by appropriate managers, are securely communicated to the security\n     function, and are automatically terminated after a predetermined period of time.\n\n     Policies and procedures for granting emergency or temporary access to the network, LAS,\n     JAAMS, and Sybase have not been developed and documented.\n\n     OCIO and OFS stated that normal procedures for granting access to the network and financial\n     applications would be followed in an emergency; however, the request would be prioritized and\n     pushed through the normal channels more rapidly.\n\n     In an emergency, excessive or inappropriate access may be granted. Accounts created for\n     temporary access may remain active after the period of intended use, increasing the risk of\n     unauthorized or malicious activities.\n\n     Recommendation 2C: We recommend that the Chief Information Officer in conjunction with\n     OCFO:\n\n           \xe2\x80\xa2     Develop and document policies and procedures for granting emergency and\n                 temporary access to the network, JAAMS, LAS, and Sybase.\n           \xe2\x80\xa2     Require that emergency and temporary access request be documented on a standard\n                 form and retained for future reference.\n\nC.   Controls are not adequate to ensure that passwords for the network, LAS, and JAAMS are\n     changed periodically, are at least eight alphanumeric characters in length, are prohibited from\n     reuse for at least eight generations, and that attempts to log on with an invalid password are\n     limited to three to five attempts. SBA\xe2\x80\x99s SOP 90-47-1, Automated Information System Security\n     Program, states that passwords must be at least eight characters, must be set to automatically\n     expire every 90 days, and should contain a history of the last eight passwords. In addition, NIST\n     SP 800-14, Generally Accepted Principles and Practices for Security Information Technology\n     System, states that organizations should limit the number of failed-login attempts.\n\n     [FOIA Ex. 2]\n\n\n\n\n                                                 3\n\x0c                                                                                    ATTACHMENT 1\n\n\n\n\n     [FOIA Ex. 2]\n\n\n\n\n     Recommendation 2D: We recommend that the Chief Information Officer:\n\n             \xe2\x80\xa2   Develop procedures to ensure all network accounts are created in accordance with\n                 SBA policy.\n             \xe2\x80\xa2   Periodically review network accounts to ensure compliance with policy.\n\n     Recommendation 2E: We recommend that the Chief Information Officer:\n\n             \xe2\x80\xa2   Develop and implement program changes for LAS to force users to change their\n                 password every 90 days, in accordance with SBA policy\n             \xe2\x80\xa2   Develop and implement program changes to force LAS accounts to lock after three to\n                 five failed attempts at logging in. Accounts should be locked until reset by the\n                 system administrator.\n\n     Recommendation 2F: We recommend that the Chief Financial Officer continue with the\n     planned upgrade of the Oracle application and database for JAAMS. Security settings should be\n     enabled to enforce strong password controls, including password history and automatic lock-out\n     after a set number of failed login attempts.\n\nD.   Controls are not adequate to ensure that inactive user accounts are monitored and removed when\n     no longer needed. Periodic reviews of network, LAS, and Sybase accounts are not being\n     performed. OCIO has a process in place in which they are notified by HR when employees leave\n     so their accounts can be disabled or deleted; however, this process does not include contractors\n     and does not identify unused accounts. If an employee\xe2\x80\x99s account is not disabled or deleted during\n     the exit process, it will remain active. SBA policy and NIST SP 800-14, Generally Accepted\n     Principles and Practices for Security Information Technology Systems, require that accounts be\n     periodically reviewed to ensure access is appropriate.\n     As noted in our FY2003 report, OCIO is not performing periodic reviews of network accounts to\n     remove inactive accounts in accordance with SOP 90-47-1, which states that network accounts\n     should be reviewed monthly to determine continuing need. In addition, OCIO stated that they\n     cannot readily identify which accounts on the network are active vs. inactive. Of the 1,483\n     accounts we reviewed for inactivity, 472 accounts had not been used in more than three months.\n     Responsibility for reviewing SBA\xe2\x80\x99s network accounts was assigned during FY2003; however, the\n     individual assigned with responsibility for this task transferred within SBA, and OCIO did not\n     reassign responsibility.\n\n     In addition to the network, OCIO is not performing periodic reviews of LAS and Sybase accounts\n     to identify and remove inactive accounts. Although SBA does have a policy stating that network\n                                                4\n\x0c                                                                                      ATTACHMENT 1\n\n\n     accounts should be reviewed on a periodic basis, no such policy or procedures exists for the\n     periodic review of other system accounts. Without a policy and procedures for the periodic\n     review of network and application accounts, the likelihood of unauthorized individuals gaining\n     access to SBA\xe2\x80\x99s network or financial application is increased. Inactive accounts could potentially\n     be used by unauthorized individuals to perform malicious activities on the network.\n\n     Recommendation 2G: We recommend that the Chief Information Officer:\n\n             \xe2\x80\xa2   Conduct monthly reviews of network accounts, as required by SOP 90-47-1, to\n                 include identifying inactive accounts. These accounts should be reviewed to\n                 determine if they are still necessary.\n             \xe2\x80\xa2   Investigate acquiring an automated tool to aid in differentiating active vs. disabled\n                 accounts on the network.\n\n     Recommendation 2H: We recommend that the Chief Information Officer develop a policy and\n     procedures requiring the periodic review of all SBA accounts (General Support System and\n     Major Application). Assign responsibility for executing these new procedures.\n\nE.   Logging and monitoring controls at the network and application level are weak. SBA has no\n     policies and procedures identifying which activities should be logged and how to determine these\n     activities, and has not specified who should review logs and how often. SBA briefly discusses\n     logging in their Procedural Notice 9000-1407 and SOP 90-47-1; however, not at a level sufficient\n     to ensure that individuals know what to log, who should review the logs, what the logs should be\n     reviewed for, and how often they should be reviewed.\n\n     From our review of the network, LAS, Sybase, and JAAMS, we determined that logging and\n     monitoring activities are not occurring on SBA\xe2\x80\x99s general support systems and major applications.\n\n     Specifically:\n             \xe2\x80\xa2   Activities on SBA\xe2\x80\x99s network are being logged; however, these logs are not being\n                 reviewed on a regular basis. When the logs are reviewed, it is by the Network\n                 Integration Branch (NIB) and not OCIO security. In addition, we determined that\n                 logs are only retained for two weeks before they are overwritten due to limited\n                 storage capacity.\n             \xe2\x80\xa2   Database administration activities in the Oracle database supporting JAAMS are not\n                 logged. The only logging enabled at the database level is for the tracking of two SBA\n                 employees with powerful access rights. In addition, although OCFO claimed they are\n                 using forms-level auditing on the JAAMS application, they could not provide\n                 sufficient information to detail what activities were logged, who reviewed these logs,\n                 what the logs were reviewed for, and how often they were reviewed.\n             \xe2\x80\xa2   Logging was not enabled in Sybase, therefore Sybase activity was not being\n                 adequately monitored.\n             \xe2\x80\xa2   Logging and monitoring of activities within LAS is not taking place. LAS does log\n                 activities such as failed logons however no individual in OCIO is currently assigned\n                 with responsibility for reviewing these logs.\n\n     Recommendation 2I: We recommend that the Chief Information Officer for all SBA internal\n     and contractor supported general support systems and major applications e.g. Egan Mainframe;\n     SBA and Corio UNIX; Network and Windows 2000; Loan Accounting System, Sybase,\n     Mainframe; JAAMS Oracle, and related application functions:\n\n\n\n                                                  5\n\x0c                                                                                     ATTACHMENT 1\n\n\n             \xe2\x80\xa2   Develop and document policies and procedures clearly outlining what activities\n                 should be logged, who should be responsible for reviewing logs, what the logs should\n                 be reviewed for, how often logs should be reviewed, and how long logs should be\n                 retained.\n             \xe2\x80\xa2   Assign responsibility within OCIO Security for the review of application and general\n                 support system security logs.\n             \xe2\x80\xa2   Retain audit logs for a sufficient period of time (at least 90 days).\n\n     Recommendation 2J: We recommend that the Chief Financial Officer:\n\n             \xe2\x80\xa2   Require that all activities by Oracle database administrators be logged.\n             \xe2\x80\xa2   Require periodic review of database logs by someone outside of Corio, preferably an\n                 individual within OFS or OCIO Security with an understanding of the production\n                 Oracle database. Audit logs should not be reviewed by the individuals being audited.\n             \xe2\x80\xa2   Take steps necessary to ensure all activity in JAAMS involving access to and\n                 modifications of sensitive or critical files at the application level are logged.\n             \xe2\x80\xa2   Assign responsibility for the periodic review of JAAMS application logs.\n\nF.   Controls over the Oracle database supporting JAAMS are weak. [FOIA Ex. 2]\n\n\n\n\n     Our review identified system configuration and logical access control vulnerabilities. The specific\n     security related conditions are detailed in Attachment 6 (Limited Official Use and Restricted\n     Distribution).\n\n     We identified 42 vulnerabilities, of which 4 were considered high risk, 16 medium risk, and 22\n     low risk. The following conditions contributed to the high-risk vulnerabilities.\n\n     Recommendation 2K: We recommend that the Chief Information Officer in conjunction with\n     OCFO:\n\n         \xe2\x80\xa2   Use the CIS benchmark to ensure that adequate security is incorporated into the planned\n             Oracle upgrade.\n\n         \xe2\x80\xa2   Develop a minimally accepted security baseline configuration for the Oracle database\n             platform which would be utilized for all SBA Oracle database management systems.\n\nG.   Controls over SBA\xe2\x80\x99s Sybase database are weak. Our review identified system configuration and\n     logical access vulnerabilities. Specific security related conditions are detailed in Attachment 7\n     (Limited Official Use and Restricted Distribution).\n\n     Of the 23 vulnerabilities identified one was considered high risk, 13 medium risk, and the\n     remaining nine were considered low risk.\n\n\n                                                 6\n\x0c                                                                                             ATTACHMENT 1\n\n\n         [FOIA Ex. 2]\n\n\n\n\n         Recommendation 2L: We recommend that the Chief Information Officer develop and\n         implement a corrective action plan with specific milestones to address the database weaknesses\n         identified in Attachment 7 (Limited Official Use and Restricted Distribution) in a timely manner.\n         In addition, we recommend that OCIO develop a minimally accepted security baseline\n         configuration for the Sybase platform which would be utilized for all SBA Sybase database\n         management systems\n\n3.       APPLICATION SOFTWARE DEVELOPMENT AND PROGRAM CHANGE\n         CONTROLS\n\nSBA\xe2\x80\x99s application software development and program change controls should be designed to prevent\nimplementation of unauthorized programs and modifications to existing programs, and should ensure that\nsecurity is adequately incorporated into the development and change of programs. Our review of change\ncontrols for JAAMS and LAS identified the following weaknesses:\n\nA.       Change controls for LAS need improvement. Through our change control testing for LAS, we\n         determined that OCIO personnel responsible for maintaining LAS were not aware of documented\n         change control procedures for LAS, nor SDM configuration management procedures Agency-\n         wide.\n\n         In addition, we determined that:\n              \xe2\x80\xa2 Test plan standards for LAS have not been developed for all levels of testing that define\n                  responsibilities for each party,\n              \xe2\x80\xa2 Documentation standards have not been developed that defines a sufficient amount of\n                  documentation on changes to code and operational procedures,\n              \xe2\x80\xa2 LAS data center supervisors and/or security officers do not periodically review\n                  production program changes to determine whether access controls and change controls\n                  have been followed.\n\n         When documented change control policies and procedures are not adequately communicated and\n         enforced, SBA has less assurance that changes introduced into production have gone through\n         necessary controls. Changes introduced into production may contain malicious or harmful code or\n         can potentially have a negative impact on the functionality of the application.\n\nRecommendation 3A: We recommend that the Chief Information Officer:\n\n     \xe2\x80\xa2   Provide software developers, testers, and IT management with ongoing training in software development,\n         testing and acceptance procedures,\n     \xe2\x80\xa2   Define sufficient documentation standards for LAS, and\n     \xe2\x80\xa2   Define sufficient test standards and procedures for LAS.\n\n\n\n\n                                                        7\n\x0c                                                                                          ATTACHMENT 1\n\n\n\n4.      SYSTEM SOFTWARE CONTROLS\n\nProperly designed system software controls limit and monitor access to programs and files that control\ncomputer hardware and protect applications. We identified security control weaknesses with the network\noperating system that reduce the effectiveness of controls to protect network operations from\nunauthorized activities from internal sources. In addition, we identified weaknesses with the UNIX\noperating system supporting JAAMS.\n\nOMB Circular A-130, Appendix III, requires agencies to establish and implement adequate technical\nsecurity controls to secure and safeguard data, software, and hardware from theft, misuse, alteration, and\nunauthorized access. Additionally, NIST, CIS, and the National Security Agency (NSA) have developed\nstandards for securing Windows 2000 and UNIX environments.\n\nA.      We conducted a scan of SBA\xe2\x80\x99s network to identify and assess the level of risk using a\n        vulnerability scanning tool to identify SANS (SysAdmin, Audit, Network, Security) Institute\n        "Top 20" security vulnerabilities. Our scan assessed whether SBA network servers had been\n        properly configured, and network operating system software had been updated with vendor\n        patches designed to properly address known vulnerabilities. A list of the most frequent\n        vulnerabilities found within the SBA network is included in Attachment 4 (Limited Official Use\n        and Restricted Distribution). Full details of vulnerabilities found are provided in separate reports\n        that have been provided to OCIO and OIG.\n\n        The scan disclosed significant exposures on network resources residing on the SBA network.\n        These exposures were primarily the result of the following:\n\n                \xe2\x80\xa2   Vendor patches and security hot-fixes were not installed in a timely manner.\n                \xe2\x80\xa2   Network servers, routers, and workstations were not properly configured.\n\n        Although OCIO developed procedures to ensure patches and security hot-fixes were implemented\n        in a timely manner and to ensure network servers are properly configured, the procedures were\n        inconsistently applied.\n\n        Audit report (OIG 4-19) Attachment 4 (Limited Official Use and Restricted Distribution) issued\n        on April 29, 2004 in recommendation 4A(1), recommended that the Chief Information Officer\n        develop and implement a corrective action plan to address the vulnerabilities identified in that\n        report. SBA responded that a corrective action plan would be completed by March 31, 2005. We\n        are augmenting that recommendation to included the vulnerabilities identified in this year\xe2\x80\x99s\n        Attachment 4 (Limited Official Use and Restricted Distribution), which identify the\n        vulnerabilities our current years\xe2\x80\x99 Network scan.\n\n        Recommendation 4A: We recommend that the Chief Information Officer develop and\n        implement a corrective action plan with specific milestones to address network weaknesses\n        identified in Attachment 4 (Limited Official Use and Restricted Distribution) of this years\xe2\x80\x99 report\n        and the detailed vulnerability assessment reports in a timely manner.\n\nB.      Although OCIO installed a network intrusion detection system (IDS) and contracted with a\n        vendor to monitor IDS activities and maintain and review all IDS activity logs, OCIO had not\n        developed written policies or procedures to establish requirements and ensure performance. We\n        commend OCIO for recognizing the need for installing additional server sensor devices on the\n        network. OCIO plans to add another 20 sensors during FY 2005.\n\n\n                                                      8\n\x0c                                                                                   ATTACHMENT 1\n\n\n     Audit report (OIG 4-19) issued on April 29, 2004 recommended that the Chief Information\n     Officer perform a security assessment for the placement of the initial 20 network sensors. SBA\n     responded that the analysis would be completed by February 28, 2005. Therefore, we are making\n     no new recommendation at this time.\n\n     Additionally, audit report (OIG 4-19) issued on April 29, 2004 recommended that the Chief\n     Information Officer revise the IDS vendor\xe2\x80\x99s contract as necessary for performance factors\n     established in Recommendation No. 4A of this report. SBA responded that the IDS vendor\xe2\x80\x99s\n     contract would be revised by February 28, 2005. Therefore, we are making no new\n     recommendation in at this time.\n\nC.   The FY 2002 FISCAM report recommended that OCIO develop the means to test for compliance\n     with SBA\xe2\x80\x99s password configuration requirements. In FY 2003, OCIO obtained password-\n     cracking software to periodically test user password configurations for compliance with SBA\'s\n     password configuration requirements and to determine if users were using easily guessed\n     passwords. Although OCIO\xe2\x80\x99s test process achieved the stated goals, the test process was neither\n     effective nor efficient and created potential security exposures if cracked passwords were\n     inadvertently or intentionally released to unauthorized individuals. OCIO cracks all user\n     password files and assesses the time required to crack as an indicator of complexity. For\n     passwords that crack quickly, OCIO determines what caused the password to crack and advises\n     the user of corrective action.\n\n     We found that password strength of SBA user passwords is weak. We identified the following:\n            \xe2\x80\xa2 173 passwords were cracked using only alpha characters,\n            \xe2\x80\xa2 13 passwords were cracked using only numeric characters, and\n            \xe2\x80\xa2 255 passwords were the same as the associated user ID.\n\n     All of these instances are violations of the SBA password policy. Some of the cracked passwords\n     were for accounts that have administrative permissions to the domain and to all workstations.\n     Audit report (OIG 4-19) issued on April 29, 2004 recommended that the Chief Information\n     Officer enhance password test procedures to screen all passwords for compliance with password\n     configuration policy. SBA has not provided a response to the recommendation in audit report\n     (OIG 4-19) which was due to OIG on May 29, 2004. Therefore, we are making no new\n     recommendations at this time.\n\n     Audit report (OIG 4-19) issued on April 29, 2004 recommended that the Chief Information\n     Officer in consultation with OHCM, develop procedures for escalating administrative\n     consequences for personnel identified as not compliant, such as:\n\n        \xe2\x80\xa2   Advise first-time offenders to immediately change their passwords to conform to the\n            policy.\n\n        \xe2\x80\xa2   Temporarily disable accounts for a second offense and notify the account owner and his\n            or her supervisor.\n\n        \xe2\x80\xa2   Suspend accounts for a third offense and send a request for adverse personnel action to\n            the office director of OCHM and to the account holder.\n\n     SBA has not provided a response to the recommendation in audit report (OIG 4-19) which was\n     due to OIG on May 29, 2004. Therefore, we are making no new recommendations at this time.\n\n\n                                                9\n\x0c                                                                                     ATTACHMENT 1\n\n\nD.   [FOIA Ex. 2]\n\n\n\n\n     Recommendation 4B: We recommend the Chief Information Officer develop minimally\n     acceptable baseline configurations based on guidance from NSA, NIST, CIS, SANS, and industry\n     best practices for Windows 2000 Domain Controllers. In addition, these baseline configurations\n     should address all the issues identified above based on the source used for developing the\n     baselines and the settings and policies should be put into place.\n\nE.   Policies and procedures for the administration of system software (Windows O/S) have not been\n     developed and documented. OCIO has not identified and documented what administrative\n     functions for the administration of Windows should be segregated and what access each\n     administrator should have. Individuals within the NIB are granted similar access for\n     administering the network operating system.\n\n     Conversion from Windows NT to Windows 2000 has not been completed. Without documented\n     policies and procedures for identifying, selecting, installing, and modifying system software,\n     SBA cannot be sure of system integrity. In addition, controls over sensitive functions within the\n     operating system are weakened, and individuals with administrative access could intentionally or\n     unintentionally change system settings in an unauthorized manner, adversely affecting the\n     performance or security of the operating system.\n\n     Audit report (OIG 2-18) issued on May 6, 2002 recommended that the Chief Information Officer\n     develop and implement standard operating procedures for network system and security\n     administrators that provide adequate guidance, describe procedures for maintaining the network\n     and other system accounts, and ensure that accounts belong only to authorized individuals. SBA\n     responded that standard operation procedures for network and system accounts would be\n     implemented by December 1, 2003. However, this recommendation remains open at this time.\n     Since this recommendation remains open, we are augmenting this recommendation at follows:\n\n     Recommendation 4C: We recommend that the Chief Information Officer:\n\n     \xe2\x80\xa2       Develop policies and procedures for the administration of and restriction of access to\n             system software.\n     \xe2\x80\xa2       Develop policies and procedures for identifying, selecting, and modifying system\n             software.\n     \xe2\x80\xa2       Identify and document appropriate administrative access to system software.\n     \xe2\x80\xa2       Ensure individuals with administrative access to system software require such access.\n             Individuals should be granted the minimum level necessary to perform their assigned\n             responsibilities.\n\nF.   We identified weaknesses in the UNIX operating system supporting JAAMS. Our analysis of the\n     standard configuration documentation and operating system installation identified several issues\n     and are included in Attachment 8 (Limited Official Use and Restricted Distribution). FISMA\n     requires agencies to develop baselines for their systems to ensure security is adequately\n     addressed.\n\n                                                10\n\x0c                                                                                         ATTACHMENT 1\n\n\n        Audit report (OIG 4-41) issued on September 10, 2004 recommended that the Chief Information\n        Officer:\n\n        \xe2\x80\xa2   Develop a standard baseline configuration that outlines security configurations for all UNIX\n            operating systems at SBA. Best practice documents such as the CIS Solaris Benchmark, Sun\n            Microsystem\xe2\x80\x99s Blueprint documents, and NSA\xe2\x80\x99s Guide to Securing Solaris should be used to\n            develop these documents to ensure compliance with best practice standards.\n\n        \xe2\x80\xa2   Implement the standard baseline configuration on all UNIX servers which support all major\n            SBA applications including those servers owned and operated by SBA as well as those under\n            contract to the various SBA offices.\n\n        \xe2\x80\xa2   Ensure that the standard baseline configuration for all UNIX servers is enforced by the SBA\n            Certification and Accreditation (C&A) process.\n\n        SBA responded that a standard baseline configuration UNIX servers would be developed by\n        September 30, 2005. Additionally, SBA responded that this baseline would be implemented on\n        all UNIX servers Agency-wide by September 30, 2005. Finally, SBA responded that the standard\n        baseline for all UNIX servers would be enforced by the C&A process by September 30, 2005.\n        Therefore, we are making no new recommendations at this time.\n\n5.      SEGREGATION-OF-DUTY CONTROLS\n\nAn appropriately designed organizational structure with well-designed roles and responsibilities will\nminimize the risk that unauthorized actions take place undetected.\n\nOMB Circular A-130, Appendix III, requires agencies to establish and implement controls within the\ngeneral control environment and major applications that support the "least privilege" practice. Appendix\nIII also requires establishing and implementing practices to divide steps of critical functions among\nindividuals and establishing practices to keep a single individual from subverting a critical process.\n\nA.      SBA does not ensure that separation of duty principles are established, enforced, and\n        institutionalized within the organization. Controls are not adequate to ensure that no individual\n        has complete control over incompatible administrative and transaction processing functions.\n\n        Our audit identified two individuals with excessive or incompatible responsibilities assigned to\n        their account in JAAMS. Incompatible or excessive duties identified include:\n\n        \xe2\x80\xa2       Security administration of JAAMS has been assigned to an individual within OCIO. We\n                noted that this individual\xe2\x80\x99s account was assigned System Administrator and Security\n                Manager Responsibilities. Separation of duty principles suggest that security\n                administration and user account administration functions should be separated.\n                Individuals assigned to review system access should not have the ability to add, modify,\n                or delete accounts within production.\n\n        \xe2\x80\xa2       OCFO has assigned the following excessive responsibilities in production to one of their\n                programmers; SBA System Administrator, SBA Maintenance, SBA NFC Payroll\n                Processing, SBA Credit Card, Alert Manager, Federal Administrator, Application\n                Developer, SBA Translation Manager, and General Ledger Super User.\n\n        Our audit of LAS identified 57 users with Terminal User and Agency/Regional/District Security\n        Officer responsibilities. These 57 individuals have the ability to add, modify, and delete user\n\n                                                    11\n\x0c                                                                                         ATTACHMENT 1\n\n\n        accounts under their security officer accounts and are normal users within their terminal user\n        accounts. Separation of duty principles suggest that system or security administration and data\n        entry functions should not be performed by the same individuals. Administration of LAS is not\n        centralized. Field locations are assigning system administrator duties to individuals who also\n        perform financial activities within LAS.\n\n        Without sufficient controls to ensure proper separation of duties, individuals may have complete\n        control over incompatible transaction processing functions that could permit fraudulent activities.\n        Fraudulent activities could include creating fictitious user accounts and permitting unauthorized\n        access.\n\n        Recommendation 5A: We recommend that the Chief Financial Officer identify individuals with\n        incompatible or excessive responsibilities within JAAMS. These include the following\n        privileges:\n             \xe2\x80\xa2 Alert Manager,\n             \xe2\x80\xa2 Application Developer,\n             \xe2\x80\xa2 Federal Administrator,\n             \xe2\x80\xa2 General Ledger Super User,\n             \xe2\x80\xa2 SBA Credit Card,\n             \xe2\x80\xa2 SBA NFC Payroll Processing,\n             \xe2\x80\xa2 Systems Administration,\n             \xe2\x80\xa2 Systems Maintenance, and\n             \xe2\x80\xa2 Translation Manager.\n\n        Incompatible or excess responsibilities should be removed or management should document the\n        reason for granting these responsibilities and ensure compensating controls are in place to\n        monitor activities by these individuals. Review of activities by individuals with excessive or\n        incompatible duties should be documented and signed off by management.\n\n        Recommendation 5B: We recommend that the Chief Information Officer:\n\n        \xe2\x80\xa2       Centralize the administration of LAS or putting compensating controls in place for the 57\n                individuals identified as having incompatible duties.\n        \xe2\x80\xa2       Periodically review access to LAS to ensure proper separation of duties exist.\n\nB.      Day-to-day operating procedures for the headquarters data center are not adequately documented\n        and prohibited actions are not identified. Resources have not been allocated to develop and\n        document day-to-day operating procedures for the data center. Data center staff may not follow\n        proper procedures, which can lead to problems with SBA information technology services.\n\n        Recommendation 5C: We recommend Chief Information Officer develop and document day-to-\n        day operating procedures for the headquarters data center.\n\n6.      SERVICE CONTINUITY CONTROLS\n\nProperly designed service continuity controls increase the assurance that normal business operations can\ncontinue with minimal disruption when unexpected events occur.\n\nOMB Circular A-130, Appendix III, requires an agency to establish and periodically test its capability to\ncontinue to provide services within a system based upon user needs and priorities. Furthermore, agencies\nare required to establish and periodically test the capability to perform agency functions supported by the\napplication in the event of failure of its automated support.\n                                                    12\n\x0c                                                                                     ATTACHMENT 1\n\n\n\nA.   SBA cannot ensure that operations can be resumed within an acceptable period of time in the\n     event of a disaster or disruption in service. SBA\xe2\x80\x99s Continuity of Operations Program (COOP)\n     consists of detailed Business Resumption Plans (BRPs) for the various offices and field sites\n     within SBA. OCIO is in the process of collecting these plans from the various offices for review\n     and comment. Once all plans have been completed and submitted to OCIO, OCIO intend to help\n     the offices test their plans. SBA has performed some testing on their COOP; however, testing\n     was limited to selected portions of the COOP.\n\n     Our review of nine headquarters BRPs determined that many of the plans were incomplete. The\n     following information was missing from all or some of the plans we reviewed:\n\n     \xe2\x80\xa2       A list of critical operations and data has not been documented that prioritizes data and\n             operations. Six out of the nine headquarter BRPs we reviewed did not have a prioritized\n             list of data and operations. We did note that SBA does have an entity-wide prioritized\n             list of critical data and operations in Attachment III of the HQ COOP.\n\n     \xe2\x80\xa2       Resources supporting critical operations have not been identified and documented. Types\n             of resources identified should include:\n                 o computer hardware\n                 o computer software\n                 o computer supplies\n                 o system documentation\n                 o telecommunications\n                 o office facilities and supplies\n                 o human resources\n\n     \xe2\x80\xa2       Emergency processing priorities have not been documented and approved by appropriate\n             program and data processing managers.\n\n     \xe2\x80\xa2       A system disaster recovery plan for the LAS has not been fully documented that\n             identifies critical data files and restoration procedures between the Egan mainframe and\n             the SBA Sybase server systems to ensure that both systems adequately interface and\n             operate in the event of an emergency.\n\n     \xe2\x80\xa2       SBA has not tested all BRPs, and a deadline for completion of BRPs has not been set.\n\n     In the event of a disaster or disruption in service, SBA may not be able to resume operations\n     within an acceptable period of time. In addition, in the event of a disaster, SBA may not know\n     which processes to recover first, what offices are involved in recovery, who is responsible, and\n     what supporting or other resources will be needed.\n\n     Recommendation 6A: We recommend that the Chief Operating Officer:\n\n     \xe2\x80\xa2       Establish a deadline for the completion of all BRPs,\n     \xe2\x80\xa2       Ensure all BRPs submitted are complete. In addition, information from the various BRPs\n             should be used to update SBA\xe2\x80\x99s COOP where necessary,\n     \xe2\x80\xa2       Comply with SBA policy which requires a prioritized list of critical data and operations\n             be established and documented in agency BRPs,\n     \xe2\x80\xa2       Work with the various offices to identify resources supporting mission critical functions.\n             Resources should be documented and included in SBA\xe2\x80\x99s COOP,\n\n\n                                                 13\n\x0c                                                                             ATTACHMENT 1\n\n\n\xe2\x80\xa2      Identify and document emergency processing priorities in the HQ COOP and work with\n       each office to establish a set of emergency processing priorities. Emergency processing\n       priorities should be documented in BRPs and updated on a periodic basis,\n\xe2\x80\xa2      Work with the various offices within SBA to ensure all BRPs are tested, and\n\xe2\x80\xa2      Results from testing should be used to update or modify the plan where necessary.\n\nRecommendation 6B: We recommend that the Chief Information Officer develop a system\ndisaster recovery plan for LAS (both Egan mainframe and SBA\xe2\x80\x99s Sybase servers) to ensure that\nall facets of LAS can recover if both or either aspects of the system are disabled during an\nemergency.\n\n\n\n\n                                          14\n\x0c                                                                                                    ATTACHMENT 2\n\n\n                            AUDIT OF INFORMATION SYSTEM CONTROLS\n                                          FOR FY 2004\n                         STATUS OF PRIOR-YEAR AUDIT RECOMMENDATIONS\n\n\n               Condition                                     Recommendation                            Status as of\n                                                                                                         9/30/04\n\nENTITY-WIDE SECURITY\nPROGRAM CONTROLS:\n\nOIG Report 4-19, Finding 1A: SBA\xe2\x80\x99s          Recommendation 1A: SBA Administrator ensure                   OPEN\ninformation system and security program     that sufficient resources are provided to enable\ndid not provide assurance that the          OCIO to meet its responsibilities under the Clinger           Sufficient\nprogram complied with requirements          Cohen Act, FISMA, and OMB Circulars A-50, A-               resources have\nestablished by federal laws, regulations,   127, and A-130.                                               not been\nand standards.                                                                                           provided to\n                                                                                                      enable OCIO to\n                                                                                                           meet its\n                                                                                                      responsibilities.\n\n\nOIG Report 4-19, Finding 1A: SBA\xe2\x80\x99s          Recommendation 1B: The Chief Information                       Open\ninformation system and security program     Officer revise and enhance existing policies and\ndid not provide assurance that the          procedures to ensure that:                               Control\nprogram complied with requirements                                                                   weaknesses\nestablished by federal laws, regulations,      \xe2\x80\xa2   Chief Information Officer (CIO) revise and        identified from\nand standards.                                     enhance existing policies and procedures to       prior year reports\n                                                   ensure that:                                      have not been\n                                                                                                     corrected and a\n                                               \xe2\x80\xa2   Control weaknesses identified in certification    technical training\n                                                   and accreditation reviews and audit reports       program has not\n                                                   are resolved in a timely manner and senior        been\n                                                   management is provided timely information         implemented and\n                                                   regarding the progress towards implementing       provided to\n                                                   corrective actions.                               OCIO staff.\n\n                                               \xe2\x80\xa2   OCIO monitoring controls are effective to         See finding 1C in\n                                                   preclude reoccurrence of previously noted         Attachment 1.\n                                                   weaknesses.\n\n                                               \xe2\x80\xa2   Technical personnel are provided technical\n                                                   training to enable personnel to successfully\n                                                   carry out their duties and responsibilities.\n\n                                               \xe2\x80\xa2   Technical skills are sufficient to meet new\n                                                   technical requirements prior to implementing\n                                                   new hardware and software.\n\n                                               \xe2\x80\xa2   OCIO effectively participates in all phases of\n                                                   system development in a timely manner to\n                                                   ensure that system controls are properly\n                                                   designed and developed to provide adequate\n                                                   security; and data reliability, completeness,\n                                                   and accuracy for all significant system\n                                                   initiatives both within and outside of OCIO.\n\x0c                                                                                                   ATTACHMENT 2\n\n\n               Condition                                      Recommendation                           Status as of\n                                                                                                         9/30/04\n\nOIG Report 4-19, Finding 1B: OCIO            Recommendation 1C: We recommend that the                   Partially\nhad not implemented procedures to            Chief Information Officer, in conjunction with             Complete\nmonitor and report management\xe2\x80\x99s actions      system owners:\nto address and resolve weaknesses                                                                    Plans of action\nidentified during system certification and   (1) Develop policies and procedures to require          and milestones\naccreditation reviews, audits, and               system owners to provide plans of action to         have been\nmanagement reviews. OCIO did not                 OCIO for correcting weaknesses identified           identified and\nmonitor system owner implementation of           from audits, management reviews, and                developed from\ncorrective actions to ensure that program        certification and accreditation reviews.            audits,\noffices address weaknesses identified                                                                management\nduring certification and accreditation       (2) Ensure that plans adequately address                reviews and\nreviews in a timely manner. As a result,         management actions to resolve or minimize           certification and\nOCIO was not fully compliant with                weaknesses in the short term while                  accreditation\nFISMA, OMB circulars, and NIST                   implementing longer term system corrective          reviews.\nstandards.                                       actions. Develop reporting processes to follow-     However, they\n                                                 up on system owner corrective action plans.         are not always\n                                                                                                     complete.\n                                             (3) Ensure that sufficient resources are made\n                                                 available to monitor system owner corrective        Monitoring of\n                                                 action plans.                                       system owner\n                                                                                                     corrective action\n                                                                                                     plans does not\n                                                                                                     take place.\n\n                                                                                                     OCIO currently\n                                                                                                     attempts to\n                                                                                                     follow up with\n                                                                                                     weaknesses in\n                                                                                                     the POA&M in\n                                                                                                     the next\n                                                                                                     certification and\n                                                                                                     accreditation\n                                                                                                     which is\n                                                                                                     generally three\n                                                                                                     years later.\n\nOIG Report 2-18, Finding 1C: SBA             Recommendation 1C: Develop an agency-wide                     Open\nhas not developed an agency-wide             security plan, as recommended in Section 5.8 of\nintegrated security plan for                 SBA\xe2\x80\x99s Information Technology Architecture Plan, to\nimplementing and integrating SOP             establish and implement the policies, procedures, and\n                                             practices for the following:\nrequirements into OCIO\xe2\x80\x99s security\nprogram as required by Section 5.8.1\n                                                 \xe2\x80\xa2   Full integration of the information security\nof SBA\xe2\x80\x99s FY 2000 Information                         approach and implementation process,\nTechnology Architecture Plan.                        along with key milestones for implementing\n                                                     the program.\n\n                                                 \xe2\x80\xa2   Coordination among program offices to\n                                                     support their security needs.\n\n                                                 \xe2\x80\xa2   Guidance to the program office for effective\n                                                     implementation of information system\n                                                     security controls.\n\n\n                                                         2\n\x0c                                                                                                        ATTACHMENT 2\n\n\n               Condition                                        Recommendation                             Status as of\n                                                                                                             9/30/04\n                                                   \xe2\x80\xa2    Methods to monitor the effectiveness of\n                                                        each part of the information technology\n                                                        security assigned to each program office.\n\n\nACCESS CONTROLS:\n\nOIG Report 4-19, Finding 2A: Controls       Recommendation 2A: We recommend that the                          Open\nover the administration of network and      Chief Information Officer:\nfinancial application accounts were not                                                                  Weaknesses in\neffective. OCIO developed and               (1) Implement procedures to ensure compliance                network and\ndisseminated Procedural Notice 9000-            with Procedural Notice 9000-1406, "Removal               financial system\n1406 "Removal of Old Computer User              of Old Computer User Accounts."                          account\nAccounts" during FY2003 in response to                                                                   administration\nour prior-year recommendation in this       (2) Require network security administrators to               were identified\narea however, this procedural notice is         review all current network accounts to identify          during the\nnot being followed by all parties. We           and eliminate unnecessary accounts and require           FY2004 audit.\nidentified administrators not following         periodic documented reviews of all generic\nestablished policies and procedures when        network accounts to ensure that they are                 See finding 2D\nadding or modifying accounts. Although          authorized and needed.                                   in Attachment 1.\nOCIO did not have administrative\nresponsibilities for all systems and the    (3) Provide resources sufficient to monitor and\nnetwork, it was responsible for ensuring        assess network administration activities to\nthat all SBA program offices complied           ensure compliance with federal laws and\nwith OCIO security policy, standards, and       regulations, SBA policies and procedures,\nrequirements.                                   NIST guidance, and industry best practices.\n\n                                            (4) In coordination with program directors, develop\n                                                procedures for controlling contractor personnel\n                                                access to the network and applications.\n                                                Procedures should be established to:\n\n                                               \xe2\x80\xa2       Require Contracting Officers\xe2\x80\x99 Technical\n                                                       Representatives (COTRs) to notify security\n                                                       administrators in writing of each contractor\n                                                       personnel needing a network and application\n                                                       account along with privileges to assign to the\n                                                       account.\n\n                                               \xe2\x80\xa2       Require all network and application accounts\n                                                       established for contractor personnel to be\n                                                       established with a renewal or termination\n                                                       date not to exceed one year or the length of\n                                                       the contract, whichever is less.\n\n                                            (5) In coordination with Office of Human Capital\n                                                Management (OHCM), develop procedures for\n                                                network and application security administrators\n                                                to receive notification of termination of SBA\n                                                employees.\n\n\n\nOIG Report 4-19, Finding 2B: Physical                                                                         Closed\n                                            Recommendation 2B: We recommend that the\ncontrols over hardware at DFC were\n                                            Chief Financial Officer instruct the Director of DFC\nweak. Routers connected to the DFC                                                                       DFC has\n                                                            3\n\x0c                                                                                                     ATTACHMENT 2\n\n\n                 Condition                                     Recommendation                              Status as of\n                                                                                                             9/30/04\nnetwork were located in an unsecured           to establish adequate physical security for routers by   enclosed the\narea of the building. Anyone entering the      either moving the routers to a restricted area where     switches and\nbuilding, after passing through security,      access is limited to only authorized individuals,        limited access to\ncould potentially gain access to these         such as the server room, or develop compensating         them using a\nrouters and disconnect the wires               controls, such as constructing a security cage.          padlock.\nconnected to them, thus bringing down\nportions of the network.\n\n\nOIG Report 4-19, Finding 2C:                   Recommendation 2C: We recommend that the                       Open\n[FOIA Ex. 2]                                   Chief Information Officer:\n\n                                               (1) [FOIA Ex. 2]\n\n                                               (2) Create new network accounts for non-\n                                                   headquarter network administrators with\n                                                   limited domain administrative privileges to add\n                                                   and delete users and add, delete, and modify\n                                                   objects within office Organization Units.\n\n                                               (3) Develop and implement procedures to perform\n                                                   periodic reviews of highly-privileged accounts\n                                                   to assess the continuing need for accounts and\n                                                   privileges.\n\n\n\n\n                                                                                                              Open\nOIG Report 2-18, Finding 2A: System            Recommendation 2B: We recommended in our\nadministrators (network and LAS) at            Information System Controls Report for FY 2001\n                                                                                                        See finding 4E\nSBA field offices are not effectively          (OIG 02-18) that SBA develop and implement\n                                                                                                        in Attachment\ncarrying out their duties and                  standard operating procedures for network system\n                                                                                                        1.\nresponsibilities. Additionally, OCIO has       and security administrators that provide adequate\nnot established a method to monitor field      guidance, describe procedures for maintaining the\noffice security activities. For instance, we   network and other system accounts, and ensure that\nobserved the following during field office     accounts belong only to authorized individuals.\nvisits:                                        These procedures should:\n\xe2\x80\xa2 LAS security administrators at some\n    offices are providing all users with the       \xe2\x80\xa2   Provide guidance and technical training\n    same privileges.                                   opportunities for all network and\n\xe2\x80\xa2   Some LAS user account privileges are               application security administrators\n    excessive.                                         describing expected duties and supporting\n\xe2\x80\xa2   Server security settings are not always            successful performance of these duties.\n    configured correctly.\n\xe2\x80\xa2   Not all network user accounts are              \xe2\x80\xa2   Require spot checks of field office servers\n    properly set up or monitored, require              for compliance with established rules.\n    passwords, or require passwords to be\n    changed every 90 days.                         \xe2\x80\xa2   Conduct physical security reviews of\n\xe2\x80\xa2   System administrators do not always                workstations.\n    set all accounts to lock out or become\n\n                                                           4\n\x0c                                                                                                  ATTACHMENT 2\n\n\n                Condition                                   Recommendation                            Status as of\n                                                                                                        9/30/04\n   disabled after three failed login         SBA agreed with this recommendation and initially\n   attempts.                                projected a completion date of November 1, 2002.\n                                            This projected completion date was later modified\n                                            to December 1, 2003.\n\n                                                                                                        Closed\nOIG Report 3-20, Finding 2A:                Recommendation 2A: We recommend that the\nExcessive privileges have been granted      Chief Human Capital Officer review duties and\nto the payroll/personnel systems.           eliminate excessive access granted to the NFC\nAdditionally, over 30 different security    payroll/personnel system. We also recommend that\nprofiles have been established for the      OHCM review its current security profiles and\npayroll/personnel system. Most of these     reduce the number of profiles commensurate to job\nprofiles are for on individual. The         responsibilities.\ncombination of these two issues weakens\napplication security controls.\n\n\nOIG Report 3-20, Finding 2B: OCIO           Recommendation 2B: We recommended in our                    Closed\nand OHCM have undocumented                  Information Systems Controls Report for FY 2001\nprocedures for informing security           (OIG 02-18) that OCIO and OHCM formally\npersonnel of staff separations. By using    document staff separation procedures. SBA agreed\ninformal separation procedures, the risk    with this recommendation and initially projected a\nof an unauthorized user having access to    completion date of November 1, 2002. This date\na system is increased.                      was later modified to February 20, 2003.\n\nOIG Report 2-18, Finding 2A: and            Recommendation 2C: We recommended in our                     Open\nOIG Report 3-20, Finding 2C: OCIO           Information System Controls Report for FY 2001\nhas not adequately developed and            (OIG 02-18) that SBA develop and implement              See finding 1B\nprovided technical training for personnel   technical training for security staff and all network   Attachment 1.\nperforming security administration          and application security administrators. SBA agreed\nactivities either at the network or         with this recommendation and initially projected a\napplication level.                          completion date of November 1, 2002. This date\n                                            was later modified to December 1, 2003.\n\n\n\nAPPLICATION DEVELOPMENT\nAND SOFTWARE CHANGE\nCONTROLS:\nOIG Report 4-19, Finding 3A: Change         Recommendation 3A: We recommend that the                    Closed\ncontrol policies and procedures for         Chief Financial Officer require that OFM ensure\nJAAMS and Financial Reporting               that all change control forms are complete before\nInformation System (FRIS) are not being     changes are released in the production environment\nproperly followed at DFC, because           and signatures are present for all spaces provided.\nrequired signatures on SBA\xe2\x80\x99s System\nImplementation Order/Change Control\nforms are missing.\n\n\nOIG Report 4-19, Finding 3B: OCFO\xe2\x80\x99s         Recommendation 3B: We recommend that the:                   Closed\nCredit Reform Models did not comply\nwith change control policies, procedures    (1) Chief Financial Officer formalize the change\nand documentation requirements in               control, testing, acceptance, documentation\nFederal Accounting Standards Advisory           standards, and validation procedures for the\nBoard (FASAB) Technical Releases No.            Credit Reform Models to conform with FASAB\n3 and No. 6 or SBA system development           Technical Release No. 3 and No. 6 and SBA\n                                                       5\n\x0c                                                                                                     ATTACHMENT 2\n\n\n               Condition                                     Recommendation                             Status as of\n                                                                                                          9/30/04\nand program change control policies and          system development and program change\nprocedures. This occurred because:               control policies and procedures.\n\n\xe2\x80\xa2 Actual changes to the formulas within     (2) Chief Information Officer develop the means to\n  Credit Reform Models were not                 actively participate in all phases of system\n  tracked,                                      development efforts within the agency.\n\xe2\x80\xa2 Change policies to the models were\n  informal and were not rigorously\n  followed,\n\xe2\x80\xa2 Computations could not be\n  reperformed, and\n\xe2\x80\xa2 Documentation needed to support\n  computations did not exist.\n\nFederal Financial Accounting and\nAuditing Technical Release No. 3:\nPreparing and Auditing Direct Loan and\nLoan Guarantee Subsidies under the\nFederal Credit Reform Act of 1990\n(FCRA), also broadly requires agencies\nto maintain internal controls over models\nin each of the following categories:\n\n\xe2\x80\xa2   Control environment\n\xe2\x80\xa2   Risk assessment\n\xe2\x80\xa2   Control activities\n\xe2\x80\xa2   Information and communication\n\xe2\x80\xa2   Monitoring\n\nThe Office of Inspector General (OIG)\nreleased Audit Report No. 3-39,\nMonitoring of SBA\xe2\x80\x99s Implementation of\nthe Disaster Credit Management System\nin September 2003; this report identified\nOCIO\xe2\x80\x99s non-compliance with its System\nDevelopment Life Cycle (SDLC) policy\nand procedures relating to OCIO\xe2\x80\x99s lack\nof involvement with new systems being\ndeveloped.\n\nOIG Report 4-19, Finding 4C: The OIG        Recommendation 3C: We recommend that the                       Open\nreleased Audit Report No. 3-39,             Chief Information Officer develop the means to\nMonitoring of SBA\xe2\x80\x99s Implementation of       actively participate in all phases of system\nthe Disaster Credit Management System       development efforts within the agency.\nin September 2003; this report identified\nOCIO\xe2\x80\x99s non-compliance with its SDLC\npolicy and procedures relating to OCIO\xe2\x80\x99s\nlack of involvement with new systems\nbeing developed.\n\nOIG Report 1-12, Finding 3:                 Recommendation 3A: We recommend that the\nDocumentation for system and program        Chief Information Officer develop quality control              Open\nchanges was outdated, and documentation     program procedures to periodically review existing\nsupporting tests of program changes was     applications to assure that documentation is kept\ninadequate. Specifically, we found that     current and accurately reflects the cumulative affects\nuser and programmer test plans and          of program changes made over time.\n                                                        6\n\x0c                                                                                                ATTACHMENT 2\n\n\n               Condition                                    Recommendation                          Status as of\n                                                                                                      9/30/04\nresults are not documented to\ndemonstrate that programs are properly\ntested and approved prior to being placed\nin operation.\n\nOCIO requires basic documents for all\nsystems, including user requirements,\ndesign documents, test plans,\nimplementation, and acceptance\ndocuments. It also requires retention of\nUser Request Forms that detail program\nchanges; these forms are required to be\nsigned by the programmer and the user to\nacknowledge acceptance of the change.\nCompliance is not enforced, because\ncontrol procedures do not exist to ensure\nthat documentation is being updated and\nmaintained.\n\n\nSYSTEM SOFTWARE CONTROLS:\n\nOIG Report 4-19, Finding 4A: Limited        Recommendation 4A: Limited Official Use and               Partially\nOfficial Use and Restricted Distribution    Restricted Distribution                                  completed\n\n\nOIG Report 4-19, Finding 4B: Limited        Recommendation 4B: Limited Official Use and                 Open\nOfficial Use and Restricted Distribution    Restricted Distribution\n\n\nOIG Report 4-19, Finding 4C:                Recommendation 4C: We recommend that the                  Partially\nAlthough OCIO installed a network           Chief Information Officer:                                complete\nintrusion detection system (IDS) and        (1) Perform a security assessment to determine the\ncontracted with a vendor to monitor IDS          most effective placement of the 20 new sensors.   OCIO\nactivities and maintain and review all                                                             recognized the\nIDS activity logs, OCIO had not             (2) Revise the IDS vendor\xe2\x80\x99s contract as necessary      need for\ndeveloped written policies or procedures        for performance factors established in             installing\nto establish requirements and ensure            Recommendation No. 4A of this report.              additional server\nperformance.                                                                                       sensor devices\n                                                                                                   on the network.\n                                                                                                   OCIO plans to\n                                                                                                   add another 20\n                                                                                                   sensors during\n                                                                                                   FY 2004.\n                                                                                                   OCIO has not,\n                                                                                                   however,\n                                                                                                   performed a\n                                                                                                   security analysis\n                                                                                                   to determine the\n                                                                                                   most effective\n                                                                                                   locations for the\n                                                                                                   sensors.\n\n                                                                                                   See finding 4B\n                                                                                                   in Attachment 1.\n\n                                                        7\n\x0c                                                                                                     ATTACHMENT 2\n\n\n               Condition                                       Recommendation                           Status as of\n                                                                                                          9/30/04\n\n\nOIG Report 4-19, Finding 4D: In FY            Recommendation 4D: We recommend that the                     Open\n2003, OCIO obtained password-cracking         Chief Information Officer enhance its password test\nsoftware to periodically test user            procedures to screen all passwords for compliance       See finding 4C\npassword configurations for compliance        with password configuration policy.                     in Attachment\nwith SBA\'s password configuration                                                                     1.\nrequirements and to determine if users        Recommendation 4E: We recommend that the\nwere using easily guessed passwords.          Chief Information Officer in consultation with\nAlthough OCIO\xe2\x80\x99s test process achieved         OHCM, develop procedures for escalating\nthe stated goals, the test process was        administrative consequences for personnel identified\nneither effective nor efficient and created   as not compliant, such as:\npotential security exposures if cracked\npasswords were inadvertently or                  \xe2\x80\xa2   Advise first-time offenders to immediately\nintentionally released to unauthorized               change their passwords to conform to the\nindividuals. OCIO cracks all user                    policy.\npassword files and assesses the time\nrequired to crack as an indicator of             \xe2\x80\xa2   Temporarily disable accounts for a second\ncomplexity. For passwords that crack                 offense, and notify the account owner and\nquickly, OCIO determines what caused                 immediate supervisor.\nthe password to crack and advises the\nuser of corrective action. This two-stage        \xe2\x80\xa2   Suspend accounts for a third offense, and\ntest approach is time consuming and                  send a request for adverse personnel action to\nunnecessary to determine compliance                  the office director, OHCM, and the account\nwith password configuration                          holder.\nrequirements.\n\n\nOIG Report 4-19, Finding 4E: Our              Recommendation 4F: We recommend that the                     Open\nnetwork analysis and tests identified         Chief Information Officer conduct periodic network\nsignificant numbers of security               tests to ensure that security features are properly\nweaknesses with the Windows 2000              and fully utilized.\nconfiguration for SBA workstations and\nservers residing on the network.\nAdditionally, OCIO had not completed\nthe Windows 2000 implementation\nproject; thus certain security and\nadministrative controls found in the\nNative Mode could not be installed.\nThese weaknesses substantially reduce\nthe level of assurance that management\ncan place on the adequacy of security\ncontrols to properly secure SBA data and\nnetwork operations from unauthorized\nactivities and safeguard SBA\ninformation technology assets from\nharm. See Attachment 4 for a complete\ndescription of the specific weaknesses\nidentified.\n\n\nOIG Report 3-20, Finding 4A: In our           Recommendation 4A: We recommend that the                    Partially\nprevious audit, we recommended that           Chief Information Officer fully implement the              completed\nSBA enhance policies, procedures and          planned upgraded intrusion detection system and\ntechnical capabilities to monitor the         reporting/monitoring tools. Additionally, we            See finding 4B in\n\n                                                          8\n\x0c                                                                                             ATTACHMENT 2\n\n\n              Condition                                   Recommendation                           Status as of\n                                                                                                      9/30/04\nnetwork for suspicious activity. SBA       recommend that the Chief Information Officer          Attachment 1.\nagreed with this recommendation and        develop a rule base and procedures for monitoring\ninitially projected a completion date of   network activity and create and document escalation\nSeptember 30, 2002. This date was later    procedures and timelines for reporting suspicious\nmodified to February 28, 2003.             activity to OCIO security. Further, we recommend\n[FOIA Ex. 2]                               that Chief Information Officer test escalation\n                                           procedures to ensure that responsible personnel\n                                           report questionable activities in a timely manner.\n\n\n\n\nOIG Report 3-20, Finding 4B: OCIO                                                                   Partially\n                                           Recommendation 4B: We recommend that the\nhas not developed the means to test user                                                            Complete\n                                           Chief Information Officer develop and implement\npassword configurations to enforce\n                                           policies and procedures to require:\nSBA\'s password configuration                                                                     Although\nrequirements. Also, OCIO has not             \xe2\x80\xa2   All network administration accounts to be       OCIO\xe2\x80\x99s test\nidentified and removed invalid or                password-protected and require passwords on     process\nunnecessary group accounts shared by a           those accounts to be changed every 30 days.     achieved the\nnumber of individuals.                       \xe2\x80\xa2   Periodic review of all administrative-level     stated goals, the\n                                                 accounts and a limit placed on the number of    test process was\n                                                 individuals granted this access.                neither effective\n                                             \xe2\x80\xa2   SBA to annually review its use of group         nor efficient and\n                                                 accounts for only those group accounts that     created potential\n                                                 are valid and necessary for sound network       security\n                                                 management and SBA to prohibit the use of       exposures if\n                                                 generic accounts.                               cracked\n                                             \xe2\x80\xa2   All system users to use more robust             passwords were\n                                                 passwords, to include the combination of        inadvertently or\n                                                 alpha, numeric and special characters.          intentionally\n                                                                                                 released to\n                                                                                                 unauthorized\n                                                                                                 individuals.\n\n                                                                                                 See finding 4C\n                                                                                                 in Attachment\n                                                                                                 1.\n\n\nOIG Report 3-20, Finding 4C: We            Recommendation 4C: We recommend that the                   Open\n                                                      9\n\x0c                                                                                                  ATTACHMENT 2\n\n\n               Condition                                     Recommendation                          Status as of\n                                                                                                       9/30/04\nnoted instances where personnel were         Chief Information Officer enforce the procedures\nusing unauthorized remote access             currently in place and remove all unauthorized\nsoftware. Recently, OCIO has not             remote desktop software from workstations.\ndeveloped and implemented written\nprocedures for the proper use of remote\naccess software.\n\n\nOIG Report 3-20, Finding 4D: The             Recommendation 4D: We recommend that the                   Open\nconfiguration of Windows 2000 on SBA         Chief Information Officer provide a standard\nworkstations and servers is not adequate     configuration for Windows 2000 consistent with\nto ensure security over SBA data and         NIST and NSA guidelines. We further recommend\nnetwork operations.                          that the Chief Information Officer complete the\n                                             implementation of Windows 2000, including the\n                                             Exchange servers, so that Windows 2000 can run in\n                                             Native mode, and security features can be properly\n                                             and fully utilized.\n\n\nOIG Report 3-20, Finding 4F: The             Recommendation 4F: We recommend that the                   Open\nOCIO has not applied the most recent         Chief Information Officer adhere to the policies\nrelevant patches to the Windows 2000         previously developed and apply all relevant           For audit\noperating system. While OCIO has             appropriate patches necessary to bring Windows        tracking\ndeveloped procedures related to              2000 up to the current patch version as               purposes, OIG\nobtaining, testing and applying software     recommended by the vendor.                            Report 3-20,\npatches as they are released, these                                                                Finding\nprocedures are not being consistently                                                              Recommendation\nfollowed                                                                                           4F was closed.\n                                                                                                   OIG Report 4-\n                                                                                                   19, Finding 4B,\n                                                                                                   Recommendation\n                                                                                                   4B(1) is open.\n\n                                                                                                   Although SBA\n                                                                                                   asserts that it\n                                                                                                   timely installs\n                                                                                                   patches and fixes\n                                                                                                   to its general\n                                                                                                   support systems,\n                                                                                                   audit testing\n                                                                                                   contradicts this\n                                                                                                   assertion.\n\n\nOIG Report 3-20, Finding 4G:                 Recommendation 4G: We recommended in our                   Open\nAdministrators and security personnel        Information System Controls Report for FY 2001\nare not adequately trained to allow them     (OIG 02-18) that OCIO provide appropriate training    For audit\nto fully understand their responsibilities   and periodic retraining to security personnel and     tracking\nand handle possible security violations.     administrators to allow them to perform security      purposes, OIG\n                                             responsibilities effectively. SBA agreed with this    Report 3-20,\n                                             recommendation and projected a completion date of     Finding\n                                             March 31, 2003. Therefore, we are making no           Recommendation\n                                             recommendation at this time.                          4G was closed.\n                                                                                                   However, the\n                                                                                                   finding remains\n\n                                                        10\n\x0c                                                                                                     ATTACHMENT 2\n\n\n               Condition                                      Recommendation                             Status as of\n                                                                                                           9/30/04\n                                                                                                       open.\n\n                                                                                                       See finding 1C in\n                                                                                                       Attachment 1.\nSEGREGATION OF DUTY\nCONTROLS:\n\nOIG Report 4-19, Finding 5A: Proper          Recommendation 5A: We recommend that the                       Closed\nseparation of duties for changes to          Chief Financial Officer instruct DFC management to\nJAAMS and FRIS had been identified on        take steps necessary to ensure that individuals are not\nthe System Implementation Change             allowed to complete incompatible areas during the\nControl Form used at DFC; these              system implementation and change process. In\nseparation-of-duties controls were not,      addition, management should review all change\nhowever, fully enforced by management.       control forms to verify that proper separation is in\nIndividuals were completing more than        place.\none area of the form, thus subverting\ncontrols intended to ensure proper\nseparation of duties. Inadequate\nseparation of duties increases the\npotential for unauthorized code to be\nimplemented and placed into production\nthat could result in unauthorized\nactivities.\n\n\nOIG Report 1-12, Finding 5A: SBA             Recommendation 5A: We recommend that the                       Open\ngenerally has appropriate segregation of     Chief Information Officer, in conjunction with the\nduties throughout its information system     appropriate program offices continue its efforts to\nenvironment; individuals generally do        identify and eliminate incompatible duties,\nnot have the ability to conduct              responsibilities, and functions.\nunauthorized actions or gain\nunauthorized access to assets or records.\nHowever, some instances of inadequate\nsegregation of duties were identified.\nFor example, one individual at a field\noffice was the security officer for LAS, a\nsenior loan officer on LAS, and had\nsupervisory privileges on the Field\nCashiering System.\n\n\nSERVICE CONTINUITY\nCONTROLS:\n\nOIG Reports 3-20, and 4-19, Finding          (Findings were repeated from audit 3-20 to audit               Open\n6: SBA cannot ensure that operations         4-19)\ncan be brought back within an                                                                          Business\nacceptable period of time in the event of    Recommendation 6A: We recommend that the                  Resumption\na disaster or disruption in service. We      Chief Operating Officer develop an agency-wide            plans remain\nreviewed service continuity plans and        business impact analysis that captures all identified     incomplete and\nprocedures at SBA headquarters and           needs within stated recovery times. At a minimum,         untested.\nfield sites at DFC, Sacramento Disaster      the analysis would identify:\nArea office, and Fresno Commercial\nLoan Service Center. We noted                   \xe2\x80\xa2   Critical SBA business processes.\nweaknesses in business resumption plans\n\n                                                         11\n\x0c                                                                                                      ATTACHMENT 2\n\n\n               Condition                                     Recommendation                              Status as of\n                                                                                                           9/30/04\n(BRP) and service continuity policies          \xe2\x80\xa2   General support systems and major\nand procedures at all three field sites.           applications that would be needed in a\n                                                   recovery process to support critical SBA\nThe following are specific exceptions              business processes.\nnoted by field site:\n                                               \xe2\x80\xa2   Required recovery time periods.\n\xe2\x80\xa2 DFC had not developed or\n  documented a test plan for testing its    Recommendation 6B: We recommend that the\n  BRP and had not established a target      Chief Operating Officer finalize the draft COOP, to\n  date for completing testing.              include the following items:\n\n\xe2\x80\xa2 The Sacramento Disaster Area Office          \xe2\x80\xa2   List of personnel and other resources related\n  did not have a documented BRP, its               to the critical system that would be needed in\n  tape backup procedures did not meet              a recovery process.\n  SBA requirements, and it did not store\n  tapes offsite.                               \xe2\x80\xa2   Provisions for plan testing by each field\n                                                   office, disaster office, and headquarters at\n\xe2\x80\xa2 The Fresno Commercial Loan Service               least every 3 years.\n  Center had not tested or updated its\n  BRP since 2001 and did not have              \xe2\x80\xa2   Provisions for annual training on plan\n  adequate off-site storage of the                 execution.\n  office\xe2\x80\x99s backup tapes.\n                                               \xe2\x80\xa2   Requirements for distribution of the plan to\nThe SBA Headquarters Continuity of                 appropriate individuals.\nOperations Plan (COOP) was\nsuccessfully tested in March 2003. In\n                                               \xe2\x80\xa2   Identification of established contracts with\nSeptember 2003, SBA moved the                      external vendors as necessary to support the\nJAAMS general ledger system from\n                                                   business continuity plan and disaster\nEagan, Minnesota, to a new data\n                                                   recovery plan.\nprocessing facility located in Tempe,\nArizona. We understand the JAAMS\n                                               \xe2\x80\xa2   Assurance that all field sites have current,\nCOOP was tested after fieldwork ended.\n                                                   documented, and tested business resumption\n                                                   plans in place.\nWithout adequate service continuity\ncontrols, SBA has reduced assurance\n                                               \xe2\x80\xa2   Provisions to inform all field sites of their\nthat it can provide an orderly and\n                                                   responsibilities for keeping the business\nreasonable recovery process.\n                                                   resumption plans current and tested.\nWeaknesses with SBA\xe2\x80\x99s COOP were\npreviously noted in OIG Audit Report           \xe2\x80\xa2   Provisions to ensure that all field sites adhere\nNo. OIG 02-18. In that report, we                  to SBA policy requiring backup tapes to be\nrecommended that the Chief Operating               stored offsite.\nOfficer (COO) complete a formal\nbusiness impact analysis in support of         \xe2\x80\xa2   Provisions to ensure that BRPs include\nCOOP and ensure the COOP properly                  procedures for safekeeping critical business\naddressed the required elements                    documents, such as loan files, to ensure their\n(Recommendation Nos. 6A and 6B). We                availability.\nconsider the COO\xe2\x80\x99s actions to date as\nnon-responsive. Additionally, at the exit\nmeeting, the CIO stated that OCIO\ncannot take responsibility for all facets\nof SBA\xe2\x80\x99s disaster recovery and business\ncontingency planning and tests.\n\n\n\n\n                                                       12\n\x0c                                                                                                     ATTACHMENT 2\n\n\n                Condition                                     Recommendation                            Status as of\n                                                                                                          9/30/04\n7A: SBA\'s mainframe computer\noperations disaster recovery hot-site test    Recommendation 7A: We recommended in our                     Open\ndid not include a test of the                 Information System Controls Report for FY 2001\ncommunication linkage between                 (OIG 02-18) that OCIO revise current contractual\nheadquarters and the hot-site facility.       agreements with its communication supplier to\n                                              include setting up a temporary dedicated line\n                                              between headquarters or a major business center\n                                              and the hot-site mainframe recovery facility in the\n                                              event of a problem. OCIO agreed with this\n                                              recommendation and projected a completion date of\n                                              July 1, 2003.\n\n7B: Weak mainframe computer operation         Recommendation 7B: We recommended in our                     Open\ncontrol increases the risk of lost LAS data   Information System Controls Report for FY 2001\nand data processing capability and            (OIG 02-18) that SBA enter into an agreement with\nhinders SBA\xe2\x80\x99s ability to carry out its        the third-party mainframe service provider to\ndaily functions. We identified physical       correct identified weaknesses and allow periodic\nand management access control                 reviews of controls by SBA representatives. SBA\nweaknesses with the mainframe computer        agreed with this recommendation and projected a\ndata processing center and computer           completion date of March 31, 2003.\nroom. Specifically, we identified the\nfollowing conditions:                         We also recommended in our Information System\n                                              Controls Report for FY 2001 (OIG 02-18) that SBA\nFacility management has not established       continue to pursue with the General Services\ninternal control to ensure that:              Administration a requirement for the third-party\n                                              mainframe service provider to undergo an annual\nConsole logs are reviewed on a regular        SAS 70 type of audit of its data processing facility\nbasis.                                        and make audit results available to SBA. SBA\nOnly current employees have console           agreed with this recommendation and projected a\nuser accounts.                                completion date of August 31, 2005.\n Console account passwords comply with\n SOP 90-47.\nApplication Controls:\n\nOIG Report 3-20, Finding 8C: We               Recommendation 8E: We recommend that the                     Open\nnoted that JAAMS does not support             Chief Financial Officer in conjunction with\nmaintaining a password history,               OCIO update systematic password and log-in              See finding 2E\ndisable a user after a failed number of       controls in JAAMS to be consistent with SBA             in Attachment\n                                                                                                      1.\nlog-in attempts, or prevent concurrent        standard password policy. These controls\nlog in by the same user ID.                   should include creation of a password history\n                                              log to prevent repeat use of passwords,\n                                              systematic controls to lock out users after a\n                                              number of failed log-in attempts, and systematic\n                                              controls to prevent concurrent logins from the\n                                              same user ID.\n\n\n\nOIG Report 3-20, Finding 8C: We               Recommendation 8G: We recommend that the                   Partially\nnoted that several users have excessive       Chief Information Officer in conjunction with              Complete\naccess privileges, and several have access    OCFO require the JAAMS security\ndiffering from their access request forms.                                                            While the\n                                              administrator to perform an annual review of\nProcedures for periodically reviewing                                                                 procedures were\nuser access do not exist.                     JAAMS users to ensure that no user has                  implemented to\n                                              excessive access, and that all users are current,\n                                                         13\n\x0c                                                                                     ATTACHMENT 2\n\n\n              Condition                              Recommendation                      Status as of\n                                                                                           9/30/04\n                                       authorized JAAMS users.                        perform an\n                                                                                      annual review,\n                                                                                      documentation\n                                                                                      did not exist to\n                                                                                      ensure that the\n                                                                                      review was\n                                                                                      performed\n                                                                                      annually.\n\n\nOIG Report 3-20, Finding 8C: We        Recommendation 8I: We recommend the CIO           Partially\nnoted that security officers within    provide adequate training and periodic            Complete\nOCIO do not have the requisite         retraining to enable JAAMS security\nfunctional knowledge and have not      administrators to effectively perform their    While initial\nreceived the appropriate training to                                                  training was\n                                       duties\n                                                                                      provided to\nadequately administer JAAMS\n                                                                                      JAAM security\nsecurity.                                                                             personnel,\n                                                                                      documentation\n                                                                                      did not exist to\n                                                                                      ensure that\n                                                                                      training was\n                                                                                      performed\n                                                                                      periodically.\n\n\n\n\n                                                14\n\x0c                                                                      ATTACHMENT 3-A\n\n\n                     U.S. Small Business Administration\n                            Washington, D.C.\n\n\n\n\n                                                   January 28,2005\n\n\nTo:    Robert G. Seabrooks\n       Assistant Inspector General for Auditing\n\n      /S/ Original Signed\nFrom: Jerry E. Williams\n      Acting Chief Information Officer\n\nSubject:   Comments on Draft Audit of SBA\'s Information System Controls\n\n        Attached please find the response and comments from the Office of the Chief\nInformation Officer to the subject audit. We appreciated the opportunity to review this\nreport and we look forward to the improvements that should result from acting on many\nof its recommendations.\n\n      Our response and comments are attached within the body of the draft report and\naccompanied by four additional Attachments A - D. We are of course available to\ndiscuss the details and background of our comments at your request. If you have any\nquestions please contact Dan Vellucci of my staff by telephone on\n202-205-[FOIA Ex. 2].\n\nAttachments\n\n\n\n\n                                            1\n\x0c                                                                      ATTACHMENT 3-A\n\n\nPage 4, FY 2004 Results:\nOCIO Response and Comments (bullet 5 above, underlined): OCIO can neither agree nor\ndisagree with this assessment because its meaning is unclear. OCIO requests that OIG\nmodify this language to make the following distinction: Is the assertion that the Sun\nSolaris OS baseline configuration itself is not acceptable or that the baseline\nconfiguration is not adequately documented? If the issue is related to documentation,\nOCIO would request that the report language clarify this fact and provide specific\nrecommendations with respect to completing or improving deficient areas of system\ndocumentation. If the issue is related to the system\'s actual configuration, OCIO would\nrequest that the report language list specific system configuration deficiencies, so that\ndevelopers can be assigned to correct these areas immediately.\n\nRecommendation 1B: OCIO Response: Partially Agree. We agree with the intent of the\nrecommendation, which is aimed at assuring adequate human resource coverage for IT\noperations and systems management. We will develop internal procedures and\nrecommended practices, such as cross-training and job shifts planning, for responsible\nmanagers to consider using. However, we do not intend to formulate or suggest\npersonnel polices with regard to mandatory annual leave scheduling, which we believe to\nbe a substantive matter directed by the Office of Human Capital Management and\nimplemented by individual managers.\n\nRecommendation 2A: OCIO Response: Partially Agree. OMB has directed OCIO to\nselectively automate SBA\'s paper forms and associated work processes. Using Metastorm\neWORKS electronic forms and workflow software, OCIO will include these access\nrequests within that effort.\n\nRecommendation 2C: OCIO Response: Agree. As stated in response to Recommendation\n2A OCIO is currently automating SBA\'s paper forms, utilizing Metastorm eWORKS\nworkflow software and recommends using electronic forms for the IT systems and\nnetwork access process. We note that in the case of temporary or emergency access a\nmanual process may be necessary as an alternative.\n\nRecommendation 2D: OCIO Response: Agree. We agree with the recommendation but\nnote that considerable effort and cost would be involved in implementing these\nmodifications, which would be applied to a Loan Accounting System that is aged and due\nfor re-engineering Our estimate for making LAS changes alone would be approximately\n$1.5 - 2.0 million. That amount is not available within the budget at this time.\n\nRecommendation 2F: OCIO Response: Agree. We note that some open network accounts\nhave been extended for previous SBA executives. We have requested policy guidance\nfrom the Office of General Counsel on this matter to establish appropriate account de-\nactivation deadlines for certain executives.\n\nRecommendation 2G: OCIO Response: OCIO will define minimum requirements for MA\nand GSS audit logs addressing each platform and including retention requirements;\nassign responsibility for review and retention of GSS audit logs; work with system\n\n\n\n                                            2\n\x0c                                                                     ATTACHMENT 3-A\n\n\nowners to assure the review and retention of MA audit logs. The system owner for the\nMAs will be responsible for assigning responsibility for review and retention of MA\naudit logs. During Certification and Accreditation, IT Security will validate the\nimplementation. The response to Sybase issues is covered in our reply to\nRecommendation 2-J below.\n\nNote: Considerable effort and cost would be involved in implementing these\nmodifications, which would be applied to a Loan Accounting System that is aged and due\nfor re-engineering. Our estimate for making LAS changes with audit log capabilities\nwould be approximately $6.0 million. That amount is not available within the budget at\nthis time.\n\nRecommendation 2I: OCIO Response: Agree. OCIO will review the CIS benchmark for\nOracle and set the minimum standards for SBA Oracle database management systems.\nOCIO will work with ODA and CFO to implement these standards. During Certification\nand Accreditation, IT Security will validate the implementation.\n\nRecommendation 2J: OCIO Response; Partially Agree. An initial workplan for FISCAM\nAttachment 7 tasks is enclosed at Attachment A.\n\nRecommendation 3A: OCIO Response and Comments: Disagree. OCIO agrees with the\nrecommendation to inform SBA personnel about use of the SDM and we believe we are\nalready doing that. OCIO is currently improving and expanding existing routine\ncommunications to inform SBA personnel of the SDM and the requirement to follow its\nmethodology. Additionally, OCIO already conducts periodic audits or project reviews to\nensure compliance with the SDM, as part of the Agency-wide Project Health Check\nprocess that the OCIO organization manages. (Examples at Attachment B.) Accordingly,\nOCIO requests that this recommendation be removed from the report, because OCIO has\ncompleted action on both parts of this recommendation and does not consider them\noutstanding issues. OCIO views these recommendations as best practices that the\norganization has already implemented.\n\nOCIO Response and Comments (para 1 above). OCIO disagrees with the statement\nregarding SDM standards as applied to LAS, and requests that it be deleted. OCIO has\ndocumented the change control process for all mainframe applications, including LAS,\nand this change control process is fully consistent with and based upon the SBA SDM.\nAttached at C. are: (1) Mainframe Change Control Process Policy; (2) Mainframe\nChange Control Process Flow Diagrams; and (3) Mainframe Change Control Form.\nThese documents are institutionalized parts of OCIO\'s change control procedures and\ndetail the requirements for mainframe configuration changes.\nSee Attachment D.\n1. Mainframe Development to Production Software Release Process\n2. Mainframe Change Control Process Flowchart\n3. Mainframe Change Control Form\n\n\n\n\n                                           3\n\x0c                                                                       ATTACHMENT 3-A\n\n\nOCIO Response and Comments; (para. 3 above). OCIO disagrees with the statement\nregarding periodic audits to verify SDM usage, and requests that the statement be deleted.\nOCIO periodically conducts Project Health Checks with all major projects (those\ndocumented in Exhibits 300) to monitor project performance and compliance with the\nSDM. There is a standard format/Health Check Evaluation Form and standard criteria\nthat are used for all Health Checks, including compliance with the SDM, to evaluate the\nhealth of a project. OCIO has conducted and documented Health Checks for all major\nprojects except LAS. Attached at B. are three out-briefs from completed Health Checks,\ncovering the Disaster Credit Management System (DCMS), the Entrepreneurial\nDevelopment Management Information System (EDMIS), and the Office of General\nContracting and Business Development\'s 8(a) and SDB Electronic Application. If the\nconcern is a Health Check for LAS itself, OCIO requests that the report be amended to\nstate only that "periodic reviews of LAS applications have not been completed." The\ncurrent report language appears to be overly broad and does not accurately depict OCIO\'s\nagency-wide SDM compliance monitoring activities as supported by standard tools and\nprocesses. We are enclosing a copy of several completed Health Checks as examples.\n(Attachment A.)\n\nRecommendation 4A: OCIO Response: Agree\n\nRecommendation 4C: OCIO Response: Agree. OCIO\'s Network Integration Branch\n(NIB) will assess the current Windows 2000 Server standard configuration. Once\ncomplete, NIB will research NIST and NSA Windows 2000 Server guidelines and\nevaluate each recommended item for its necessity and affect on SBA servers, then\ncomply as deemed necessary.\n\nRecommendation 5B: OCIO Response: Disagree. OCIO believes this responsibility lies\nwith the system owner (CFO) since they alone have the specific knowledge required to\ndetermine whether appropriate segregation of duties and responsibilities are being\nmaintained based upon access permissions granted to users.\n\nRecommendation 5C: OCIO Response: Agree.\n\nRecommendation 6A: OCIO Response: Agree. We agree with this recommendation but\nbelieve that all COOP related activities, except those directly related to critical IT\nsystems, should be managed at the Chief Operating Officer level within the Agency.\n\n\n\n\n                                            4\n\x0c                                                                                       ATTACHMENT 3-B\n\n\n\n\n                                                                U.S. Small Business Administration\n                                                                Office of the Chief Financial Officer\n                                                                       Washington DC 20416\n\n\n\n\n            To:         Robert G. Seabrooks\n                        Assistant Inspector General for Audit\n\n                  /S/ Original Signed\n            From: Thomas Dumaresq\n                  Chief Financial Officer\n\n            CC:         Jennifer Main\n                        Deputy Chief Financial Officer\n\n                        Jerry Williams\n                        Acting Chief Information Officer\n\n            Date:       January 25, 2005\n\n\n            Re:         Response to Audit of SBA\xe2\x80\x99s Information System Controls for Fiscal Year\n                        2004\n\n\n\nThis is a response to the report issued by the Office of the Inspector General titled\n\xe2\x80\x9cAudit of SBA\xe2\x80\x99s Information System Controls\xe2\x80\x9d.\nThe Office of the Chief Financial Officer has received four recommendations that are\nrelated to the administrative accounting system. Our response to each\nrecommendation is stated below.\n        \xe2\x80\xa2     Recommendation 2B: We recommend that the Chief Financial Officer:\n\n                    -      Ensure access to JAAMS is granted only when requested via Form\n                           2200;\n\n                    -      Ensure all access request forms are maintained on file for future\n                           reference. Access request forms should be periodically traced to\n                           active user accounts to make sure access in JAAMS agrees with\n                           the access that was requested and approved.\n\n        \xe2\x80\xa2     Response to 2B: Based on our discussion and Ethel Mathews agreement,\n              this recommendation will be re-directed to the Office of the Chief\n              Information Officer.\n\n        \xe2\x80\xa2     Recommendation 2E: We recommend that the Chief Financial Officer\n              continue with the planned upgrade of the Oracle application and database\n              for JAAMS. Security settings should be enabled to enforce strong\n              password controls, including password history and automatic lock-out after\n              a set number of failed login attempts.\n\n\n\n\n                                                           5\n\x0c                                                                               ATTACHMENT 3-B\n\n\n        \xe2\x80\xa2   Response to 2E: We agree. We have completed the Upgrade to Oracle\n            Federal Financials 11.5.9, and have implemented the appropriate password\n            complexity enforcement and history. Patchset FND-H implements lockout\n            after a number of failed attempts, and will be implemented prior to the end\n            of the second quarter. All non-application database accounts have been\n            assigned to appropriate profiles that enforce complexity, history, and\n            lockout. Application database accounts remain with the default profile,\n            however compensating controls are being developed to ensure the use of\n            FNDCPASS on a periodic basis consistent with best practices and SOP 90-\n            47.\n\n        \xe2\x80\xa2   Recommendation 2H: We recommend that the Office of the Chief Financial\n            Officer:\n\n                -   Require that all activities by Oracle database administrators be\n                    logged\n\n                -   Require periodic review of database logs by someone outside of\n                    Corio, preferably an individual within OFS or OCIO Security with an\n                    understanding of the production Oracle database.         Audit logs\n                    should not be reviewed by the individuals being audited.\n\n                -   Take steps necessary to ensure all activity in JAAMS involving\n                    access to and modifications of sensitive or critical files at the\n                    application level are logged\n\n                -   Assign responsibility for periodic review of JAAMS application logs\n\n        \xe2\x80\xa2   Response to 2H: We agree. We will work with our ASP to extend auditing\n            to all accounts assigned to ASPUSER, SBAUSER, and ASPSYS profiles.\n            Furthermore, we will establish procedures for weekly emailing and review of\n            the activity in both the Form level auditing logs as well as the database level\n            logs. Target completion is the end of the second quarter.\n\n        \xe2\x80\xa2   Recommendation 5A: We recommend that the Chief Financial Officer\n            identify individuals with incompatible or excessive responsibilities within\n            JAAMS. These include the following privileges: Alert Manager, Application\n            Developer, Federal Administrator, General Ledger Super User, SBA Credit\n            Card, SBA NFC Payroll Processing, Systems Administration, Systems\n            Maintenance, and Translation Manager.\n\n        \xe2\x80\xa2   Response to 5A: We agree with this recommendation.\n\n\nThe report also assigns recommendations for 2C and 2I to the Office of the Chief Information\nOfficer in conjunction with the Office of the Chief Financial Officer. We will work with the OCIO on\nthe two recommendations.\nI thank you for the opportunity to respond to the audit report. We are looking forward to\ncontinuing to work with the Office of the Inspector General on future audits.\n\n\n\n\n                                                 6\n\x0c                                                                ATTACHMENT 3-C\n\n\nFrom:           Brechbiel, Richard\nSent:           Monday, January 31, 2005 3:27 PM\nTo:             Harai, Richard K.\nCc:             Gates, M. Catherine; Stoehr, Melissa A.\nSubject:        RE: Issuance of Audit Report on SBA Information System\n                Controls\n\n\nWith regard to the Recommendation 1A I am not comfortable having a policy\nthat requires mandatory vacations for employees. Annual leave is earned and\nemployees are allowed to used it at their discretion. For example, if an employee\nis attempting to build their balance to the 240 hour carry over limit I do not\nbelieve that we can require them to use annual leave in lieu of that effort. It\nmight be possible to have periodic job rotations for employees in such positions.\nHowever, this would assume there was sufficient staff with the requisite\nclearances to allow such temporary assignments. While assignment of work is a\ntraditional right of management, we may have to involve the Union as it could be\nviewed as a change in working conditions.\n\n\n\n\n                                        1\n\x0c                                                                                ATTACHMENT 3-D\n\n\n                      Audit of SBA\xe2\x80\x99s Information System Controls\n                                   January 28, 2005\n                OCIO/OHCM/OCFO Response with Auditor Comments\n    (Certain Recommendations were changed and renumbered from the Draft Report)\n1. Entity-Wide Security Program Controls\n\nRecommendation 1A: Partially Agree \xe2\x80\x93 SBA is not comfortable having a policy that requires\nmandatory vacations for employees. Annual leave is earned and employees are allowed to used\nit at their discretion. For example, if an employee is attempting to build their balance to the 240\nhour carry over limit, SBA believes it cannot require them to use annual leave in lieu of that effort.\nIt might be possible to have periodic job rotations for employees in such positions. However, this\nwould assume there was sufficient staff with the requisite clearances to allow such temporary\nassignments. While assignment of work is a traditional right of management, we may have to\ninvolve the Union as it could be viewed as a change in working conditions.\n\nAuditor Response: Some method of periodic job rotations for employees in sensitive IT positions\nwill be needed. Adjudication of the recommendation will occur in the audit follow-up process.\n\nRecommendation 1B: Partially Agree \xe2\x80\x93 SBA agrees with the intent of the recommendation,\nwhich is aimed at assuring adequate human resource coverage for IT operations and systems\nmanagement. We will develop internal procedures and recommended practices, such as cross-\ntraining and job shifts planning, for responsible managers to consider using. However, we do not\nintend to formulate or suggest personnel polices with regard to mandatory annual leave\nscheduling, which we believe to be a substantive matter directed by the Office of Human Capital\nManagement and implemented by individual managers.\n\nAuditor Response: SBA will need to adopt a formal policy between the Office of Human Capital\nManagement and the Office of Chief Information Officer to enact periodic job rotations for\nemployees in sensitive IT positions. The policy should be part of an updated SOP 90-47.\nAdjudication of the recommendation will occur in the audit follow-up process.\n\n2. Access Controls\n\nRecommendation 2A: Partially Agree \xe2\x80\x93 OMB has directed OCIO to selectively automate SBA\'s\npaper forms and associated work processes. Using Metastorm eWORKS electronic forms and\nworkflow software, OCIO will include these access requests within that effort.\n\nAuditor Response: Some method of tracing or annually reviewing access request forms to\ndetermine if access requests are documented will need to be incorporated into this process.\n\nRecommendation 2B: Based on our discussion and Ethel Mathews agreement, this\nrecommendation will be re-directed to the Office of the Chief Information Officer.\n\nAuditor Response: The recommendation was redirected to the SBA Computer Security Officer\nwithin the Office of Chief Information Officer.\n\nRecommendation 2C: Agree \xe2\x80\x93 As stated in response to Recommendation 2A OCIO is currently\nautomating SBA\'s paper forms, utilizing Metastorm eWORKS workflow software and\nrecommends using electronic forms for the IT systems and network access process. We note that\nin the case of temporary or emergency access a manual process may be necessary as an\nalternative.\n\n\n\n                                                  1\n\x0c                                                                              ATTACHMENT 3-D\n\n\n\nRecommendation 2D: Auditor Response \xe2\x80\x93 Original recommendation 2D was separated into 2D\nfor the Network and 2E for LAS for the final report. SBA only responded to the LAS portion [2E]\nof the recommendation.\n\nRecommendation 2E (Original 2D): Agree \xe2\x80\x93 We agree with the recommendation but note that\nconsiderable effort and cost would be involved in implementing these modifications, which would\nbe applied to a Loan Accounting System that is aged and due for re-engineering Our estimate for\nmaking LAS changes alone would be approximately $1.5 - 2.0 million. That amount is not\navailable within the budget at this time.\n\nAuditor Response: Because of the information within LAS and its importance to the Agency,\nSBA must decide whether to implement the corrective actions necessary to ensure that LAS meets\nits security requirements as defined by OMB Circular A-130 and NIST 800 series publications or,\nSBA must decide that implementing such security requirements is not cost-effective and begin the\nprocess of replacing LAS with a system which can meet the security requirements. SBA cannot\nagree with the recommendation and at the same time state that it is not going to implement the\nrecommendation and thus properly secure its information.\n\nRecommendation 2F (Original 2E): We agree. We have completed the Upgrade to Oracle\nFederal Financials 11.5.9, and have implemented the appropriate password complexity\nenforcement and history. Patchset FND-H implements lockout after a number of failed attempts,\nand will be implemented prior to the end of the second quarter. All non-application database\naccounts have been assigned to appropriate profiles that enforce complexity, history, and lockout.\nApplication database accounts remain with the default profile, however compensating controls are\nbeing developed to ensure the use of FNDCPASS on a periodic basis consistent with best practices\nand SOP 90-47.\n\nRecommendation 2G (Original 2F): Agree. We note that some open network accounts have\nbeen extended for previous SBA executives. We have requested policy guidance from the Office\nof General Counsel on this matter to establish appropriate account de-activation deadlines for\ncertain executives.\n\nRecommendation 2H (Original 2F): Auditor Response \xe2\x80\x93 Original recommendation 2F was\nseparated into 2G for the Network and 2H for periodically reviewing all General Support Systems\nand Major Applications for the final report.\n\nRecommendation 2I (Original 2G): OCIO will define minimum requirements for MA and GSS\naudit logs addressing each platform and including retention requirements; assign responsibility for\nreview and retention of GSS audit logs; work with system owners to assure the review and\nretention of MA audit logs. The system owner for the MAs will be responsible for assigning\nresponsibility for review and retention of MA audit logs. During Certification and Accreditation,\nIT Security will validate the implementation. The response to Sybase issues is covered in our\nreply to Recommendation 2-J [2-L] below.\n\nNote: Considerable effort and cost would be involved in implementing these modifications, which\nwould be applied to a Loan Accounting System that is aged and due for re-engineering. Our\nestimate for making LAS changes with audit log capabilities would be approximately $6.0 million.\nThat amount is not available within the budget at this time.\n\n\n\n\n                                                2\n\x0c                                                                             ATTACHMENT 3-D\n\n\nAuditor Response: Because of the information within LAS and its importance to the Agency,\nSBA must decide whether to implement the corrective actions necessary to ensure that LAS meets\nits security requirements as defined by OMB Circular A-130 and NIST 800 series publications, or,\nSBA must decide that implementing such security requirements is not cost-effective and begin the\nprocess of replacing LAS with a system which can meet the security requirements. SBA cannot\nagree with the recommendation and at the same time state that it is not going to implement the\nrecommendation and thus properly secure its information.\n\nRecommendation 2J (Original 2H): We agree. We will work with our ASP to extend auditing\nto all accounts assigned to ASPUSER, SBAUSER, and ASPSYS profiles. Furthermore, we will\nestablish procedures for weekly emailing and review of the activity in both the Form level auditing\nlogs as well as the database level logs. Target completion is the end of the second quarter.\n\nRecommendation 2K (Original 2I): Agree. OCIO will review the CIS benchmark for Oracle and\nset the minimum standards for SBA Oracle database management systems. OCIO will work with\nODA and CFO to implement these standards. During Certification and Accreditation, IT Security\nwill validate the implementation.\n\nRecommendation 2L (Original 2J): Partially Agree. An initial workplan for FISCAM\nAttachment 7 tasks is enclosed at Attachment A.\n\nAuditor Response: We acknowledge management\xe2\x80\x99s plan, however, the plan does not address all\ncritical areas in an adequate manner (i.e., adequate logging does not only include failed login\nattempts). Management should take corrective actions for all identified discrepancies. We will\nevaluate remediation efforts during the FY05 audit.\n\n3. Application Software Development and Program Change Controls\n\nRecommendation 3A: Disagree. OCIO agrees with the recommendation to inform SBA\npersonnel about use of the SDM and we believe we are already doing that. OCIO is currently\nimproving and expanding existing routine communications to inform SBA personnel of the SDM\nand the requirement to follow its methodology. Additionally, OCIO already conducts periodic\naudits or project reviews to ensure compliance with the SDM, as part of the Agency-wide Project\nHealth Check process that the OCIO organization manages. (Examples at Attachment B.)\nAccordingly, OCIO requests that this recommendation be removed from the report, because OCIO\nhas completed action on both parts of this recommendation and does not consider them\noutstanding issues. OCIO views these recommendations as best practices that the organization has\nalready implemented.\n\nOCIO Response and Comments (para 1 above). OCIO disagrees with the statement\nregarding SDM standards as applied to LAS, and requests that it be deleted. OCIO has\ndocumented the change control process for all mainframe applications, including LAS, and this\nchange control process is fully consistent with and based upon the SBA SDM. Attached at C. are:\n(1) Mainframe Change Control Process Policy; (2) Mainframe Change Control Process Flow\nDiagrams; and (3) Mainframe Change Control Form. These documents are institutionalized parts\nof OCIO\'s change control procedures and detail the requirements for mainframe configuration\nchanges.\n\nSee Attachment D.\n1. Mainframe Development to Production Software Release Process\n2. Mainframe Change Control Process Flowchart\n\n\n                                                3\n\x0c                                                                              ATTACHMENT 3-D\n\n\n3. Mainframe Change Control Form\n\nOCIO Response and Comments; (para. 3 above). OCIO disagrees with the statement regarding\nperiodic audits to verify SDM usage, and requests that the statement be deleted. OCIO\nperiodically conducts Project Health Checks with all major projects (those documented in Exhibits\n300) to monitor project performance and compliance with the SDM. There is a standard\nformat/Health Check Evaluation Form and standard criteria that are used for all Health Checks,\nincluding compliance with the SDM, to evaluate the health of a project. OCIO has conducted and\ndocumented Health Checks for all major projects except LAS. Attached at B. are three out-briefs\nfrom completed Health Checks, covering the Disaster Credit Management System (DCMS), the\nEntrepreneurial Development Management Information System (EDMIS), and the Office of\nGeneral Contracting and Business Development\'s 8(a) and SDB Electronic Application. If the\nconcern is a Health Check for LAS itself, OCIO requests that the report be amended to state only\nthat "periodic reviews of LAS applications have not been completed." The current report language\nappears to be overly broad and does not accurately depict OCIO\'s agency-wide SDM compliance\nmonitoring activities as supported by standard tools and processes. We are enclosing a copy of\nseveral completed Health Checks as examples. (Attachment A.)\n\nAuditor Response: The audit finding and recommendation were reworded to be more exactly\nwhat was identified during fieldwork. LAS programmers were unaware of SBA\xe2\x80\x99s SDM and\nproper change control procedures that should have been in effect for making changes to code,\ntesting and acceptance of software. Therefore, we believe that better training in configuration\nmanagement is warranted along with more defined procedures for programming, testing, and\nacceptance.\n\n4. System Software Controls\n\nRecommendation 4A: Agree\n\nRecommendation 4B: SBA did not respond to recommendation 4B.\n\nRecommendation 4C: Agree. OCIO\'s Network Integration Branch (NIB) will assess the current\nWindows 2000 Server standard configuration. Once complete, NIB will research NIST and NSA\nWindows 2000 Server guidelines and evaluate each recommended item for its necessity and affect\non SBA servers, then comply as deemed necessary.\n\n5. Segregation of Duty Controls\n\nRecommendation 5A: We agree with this recommendation.\n\nRecommendation 5B: Disagree. OCIO believes this responsibility lies with the system owner\n(CFO) since they alone have the specific knowledge required to determine whether appropriate\nsegregation of duties and responsibilities are being maintained based upon access permissions\ngranted to users.\n\nAuditors Response: While we believe this is true for JAAMS (to an extent as OCIO is still\nresponsible for aspects of security administration for JAAMS), the responsibility for LAS resides\nentirely with OCIO. Since this entire recommendation discusses the problems with LAS, then this\nresponse is not adequate to address this recommendation. Given that OCIO Security has the\nresponsibility for security for systems that cross SBA Office boundaries, OCIO is responsible for\n\n\n\n                                                4\n\x0c                                                                                 ATTACHMENT 3-D\n\n\nensuring the LAS security officers are not also acting as users of the system.\n\n6. Service Continuity Controls\nRecommendation 6A: Agree. We agree with this recommendation but believe that all COOP\nrelated activities, except those directly related to critical IT systems, should be managed at the\nChief Operating Officer level within the Agency.\n\nRecommendation 6B: Auditor Response \xe2\x80\x93 Original recommendation 6A was separated into two\nrecommendations to separate the IT aspects of the recommendation from the operational aspects\nof SBA\xe2\x80\x99s COOP program.\n\n\n\n\n                                                  5\n\x0c                                                                                                         ATTACHMENT 9\n\n\n\n                                           REPORT DISTRIBUTION\n\n\nRecipient                                                                                                             Copies\n\nOffice of the Chief Financial Officer\nAttention: Jeffrey Brown ........................................................................................1\n\nGeneral Counsel.......................................................................................................3\n\nU.S. Government Accountability Office .................................................................1\n\x0c'